354300x8000000000000000670492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:07.296{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51123-false10.0.1.12-8000- 23542300x8000000000000000670491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:08.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5935DDAA571AE078D48A17893E35BE5F,SHA256=CEA4226FC40B694A86A810BBED9351BE74840813C2EAF969726D242A3A16FC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:08.672{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC490679F24FA49721A4517ABAA612F,SHA256=80435222DDD0CE9DCE4CCCD78AD1EAD07EC42D600DA72201E0F58AF969A2B105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:09.818{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41547B0309BDCE80D54F9EF5B7281FF,SHA256=78E1EB50F25255EA1A557D08D198217E23827723F2CDD6BC6D9EE91C2333A35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:09.672{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE527490B3848550BF74CD410765567,SHA256=C47420DAB93F1CFB779CD5F2AC6374BBD2C811E389C86CDC4F66A5AB78341275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:09.469{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=65B75C2101C5AEC4EFF324132C52F46B,SHA256=E30E09626129BC2A8F0EA518E2B91BB50C449C9D9D99F5514FC22C2DE3C87345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.819{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E18EF79E6EE1B6E53C2021678547C8,SHA256=3309FAC138993962E90DE119DEFCCB8B7EE3CE4EEC6E2CEB3BE3364E46B4381B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:10.672{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4DC128B463F65A80C2AEEA212BD971,SHA256=49ABF14D98E3461F273806D7CC8849FD8B4FEAF0C87DA8E3DC149CCBAE1E58D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.120{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ISE\S-1-5-5-0-27437121\PowerShellISEPipeName_1_ef81047d-3beb-438b-9a37-b80788d920bfMD5=A5EA0AD9260B1550A14CC58D2C39B03D,SHA256=F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.104{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-4788-609D-774E-00000000BA01}1036C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.089{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.073{7B03F3B2-D0CA-609A-1400-00000000BA01}10764220C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:10.058{7B03F3B2-4788-609D-774E-00000000BA01}1036ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1036.xmlMD5=5714059E6175AA2BE2D911D4379F98E9,SHA256=264C6878029CE25FF6ED4F8B1DC23FC47E1DCE8FD2D3EE4B31E7066B69968955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:10.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0C72036F7FF9F4112FA94297406878,SHA256=F808654766B7D0E94E6DD8CA7F9EC46D108DFD14F90AFAAA511B28BF510C9D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:10.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3347526878DEE4ABBCF82DE10C6EEE0,SHA256=9D47E9830D6E34F17065D558B59F37B87529DFC67B8527DB8A0FE873D8900FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:11.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1068E4B0B80C245FD29C851B708D51,SHA256=508F91EF8EB6502627A54BD974DE3C6BFA4CA9BD49277A86A5FA8207AAFEC05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.835{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD7FED15C307168CAB60C613C46A0D6,SHA256=19F0A82C58C861F9026E3CE416F54A67DDB97DBE87CD241B289D406271668858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.457{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:11.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=396329CB22319760E1E3F261D6A6C233,SHA256=85E512ADCEB0378F1DDA5FD08C56EC1811C5CB6C6F6F7835EF088F6B09D080B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:08.851{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52742-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.855{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC03B595B6C4246FCB2872D6362DD72,SHA256=4463C9BF3507AB799590240B3267DB1D5AF30098ECCCE650804CA337B5784B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:12.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187AABD48957806C1A58880FCB491DA1,SHA256=06B2948A94348C8095ECE0F3CEB4DBBC832C0F49E37D824F57FADE1D724751AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.403{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:13.871{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E1BD8223C5D7691B46BB41FA2DA0C1,SHA256=9EC95ABAD55A025539BC2B9961F43D4CACB12D32D96E12357EBC437F37199D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:13.704{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F78098EA2E4F7BE9283BDCF34FD0DB,SHA256=E2C6B07F2489E95F79588EE916F5B2A3F1EA499316037862855C7FD6CAAB2EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:13.103{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B336164CF1B8EBFE19162B99CEA3FF35,SHA256=3274286E3A41E8E1FC19E5D1A784746784BE033BF60FA834260FC44C2DB1AC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:14.885{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=816559304BE057D4A3E1ECFB35A9C0BC,SHA256=C47F6DA8CB820BD0DB5C7DB70B0F90B0097CC095A5A9C670CCD80CD73FE7C579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:14.719{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC8CC9FDE8F458EF8F60A1BB2986685,SHA256=C2E6AB84CBA9228BA0AE6BE662FDA680CC01051171F159D44893B4AF0F1CFD4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:14.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=22FA6C2ECAB9C0330F57C46448C19474,SHA256=985C63C49E6C10CAD4E9BE13728D588BD8090B15B4D71DEB019FFAC26C7DFF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:12.334{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51124-false10.0.1.12-8000- 23542300x8000000000000000670525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:15.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6A143B1903E6CDC43D981ABA5C8932,SHA256=9FA26F7239DC218D93683463BCA8440D2B1E4A6ABA4A5F6ECFC52FA1A24D1AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:15.719{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F49CF2D7290EFF62124ACED1B3E9D1,SHA256=A67DB9580E0773B5CF201F2A3109AA684074D06CDAD9D448A399991F2E2BB749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:16.903{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF6F4346C99ECF217059A3E1BA1B14E,SHA256=BB84B059CAD8DABFD9D5CA5346913D9FA2CD5DEAC4EEBA0AA89F5A207B14E5D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:16.719{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE355CCEA08E0DA8190975FA4113D456,SHA256=07495B875F6AF97F52709FFAD02D8C1BFB6A6CA4833B47A6A4A3490292653CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:16.110{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B441B24E6E724415E1C09888BDBD50B,SHA256=274D5DDC7D33A9FD6FFD6F45C636E8EDC1897A3BA521CB43B558BD298973CAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:16.110{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B0C72036F7FF9F4112FA94297406878,SHA256=F808654766B7D0E94E6DD8CA7F9EC46D108DFD14F90AFAAA511B28BF510C9D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:17.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8FE9026D293D4773CFD096C134B876,SHA256=5992622225BDBF7C466317869F6BC490A6AAF25EC2191CE49709A8725ED60FAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:17.934{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCDD9ED4A436F053FCA86E75F78341E,SHA256=9453D88FB64FDFD64B16F8A230EE69792FAFEAE30F1A0FAE27F8113E402920C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:14.710{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52743-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:18.935{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC32ECB8FD1DBD0041647EC574D599E,SHA256=386B2A84C53AEE0371DADF51ED299BB5615444D422513BE7A316C1AAC9B1FB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:18.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB81D55D8D8FC206CE3F7573D7AF4190,SHA256=34874DDD91D30BE6637ADF99110648E0B7020697FB9EE9DA4F5D41E688E150FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:18.153{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D5B28FE07E24A6D6DB473216026BBF,SHA256=5C1FAA8DE9E546394D4CE5A8B1D6E813539E8ECE4129F59C871CAAB6F8F30F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:18.152{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DBB5F76D63DECBE0CAE7589E1025FB0,SHA256=27C3B5570B6F0870B20E9D601026A929D1F1E0E1449CD9E5A3EAC5DE031704F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:19.935{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E106CAF07C029BB6B7D1FB73BAA2DA,SHA256=299CB3F187168AF0878510F5C3503F7B8D76AF21E0ACF722DF7ADE3E147BBCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:19.750{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BFB42572FA3A2589DC3C55D5E774F4A,SHA256=6D63FDD186FCA1217640047581B5ADF9ED528FF11C752EA4B0F824B1A91F9B42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:17.349{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51125-false10.0.1.12-8000- 23542300x8000000000000000670533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:20.952{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337FC2F693A277FF1655BC913B64F19E,SHA256=607F4B67819AF5320BAFB195993BCB7241AAC8E5F273458A9C14A33A808BB867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:20.750{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3FAEAF477632C348950D7E837F151D,SHA256=B47C939D8F4F9375F79E7E96DBE4067AA6D8C75A29CF78BEE4729B70A02B1002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:21.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD57BC78E6C88693F1F89AC7952D5206,SHA256=95FC5FD4913B95D0ABC0FF8704D9157FFBD80CE1C7F9B062989AEC1E17303BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:21.766{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4331A03098958ECC58C3D8BB8C90567C,SHA256=8BDE4461C8EB3769DC0E605F5F82FBE38B65D52B4F56E94755B3357A652DFE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:21.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64C64A5940F00F0CCA2C9D8D1FD4AF0C,SHA256=6500B185B30EA22F0D0484203A6DCA795CBF7BA8AFD024DCAB8570D52DABF5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:21.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B441B24E6E724415E1C09888BDBD50B,SHA256=274D5DDC7D33A9FD6FFD6F45C636E8EDC1897A3BA521CB43B558BD298973CAB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:22.766{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814CDA3E940E0891D699ADD07A2E4FD9,SHA256=85EC819787111CDAC84D02D02AE623EEAE49462ADA5EF007CA417E104DD0B269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:22.985{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=432F70D368F67FE0106E40D42374C228,SHA256=A6BE60BA13B0CBC23FDB2F6B80240950C91A08DB917294597DEFF9728DF31560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:22.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D5B28FE07E24A6D6DB473216026BBF,SHA256=5C1FAA8DE9E546394D4CE5A8B1D6E813539E8ECE4129F59C871CAAB6F8F30F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:19.726{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52744-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000571934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:23.797{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BE590E9C9E4BC1D5ECA771B7931D1E,SHA256=A2289BFD829FF1DBFCADCE9C9B1DCDD5992ECFB7556BE0719293E49B184264E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:24.829{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1F349C8CE20C4D65CC9BA44444A0AD,SHA256=CB7828D2A367FC2DC3DFF31D28CACBC572F0B2B5B2EB7D031E6FB13117CEE697,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:22.379{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51126-false10.0.1.12-8000- 23542300x8000000000000000670537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:24.000{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35073299745CC8250A76F0125A87CE7,SHA256=58B14657C17D22F973AF6F224C0B454BA1FE6779F22E0EEECF7C6B1C828FFC93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000571950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.938{E1BD9FC2-7F05-609D-E150-00000000BB01}36403432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000571949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.875{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA8E5CBEE60DB078D77658FD626D999,SHA256=98AA1FC023C5FE3EE721C8223810B5BC4BD485F04501B85630CF9C3E02FB0654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D65F22600ECCA0F426860C41C6BDC2B6,SHA256=E07B9E8593DA0C0950717AA448716B57D9CACB06BE9E4151C310A380A770F6CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.152{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.000{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D69EC2D4DC8E1F253600BB06123635,SHA256=5BDC2F0EA5279570C816426C5EECC18265E6EE2A01FC445590ABE539FF25535C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000571948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.813{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:25.814{E1BD9FC2-7F05-609D-E150-00000000BB01}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000571979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.939{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.941{E1BD9FC2-7F06-609D-E350-00000000BB01}3376C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000571966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.892{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FE622BE8DC917165181F9B1E2C6648,SHA256=915EB21386AFF886100F5275191972BFA92C422A658C3D6F12756C17F2E436AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:24.431{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51127-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000670543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:24.431{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51127-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000670542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:26.014{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B725A397D082E840F1938F747AEEB3C,SHA256=9D1EB87D30F5505304D7533EB87F4EA7D7C08C78A5B34D9850C3E6AF3D09D744,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000571965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.314{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.315{E1BD9FC2-7F06-609D-E250-00000000BB01}3308C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000571952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:24.772{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52745-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000571951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:26.203{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64C64A5940F00F0CCA2C9D8D1FD4AF0C,SHA256=6500B185B30EA22F0D0484203A6DCA795CBF7BA8AFD024DCAB8570D52DABF5E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:27.908{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59951FAF0E4A4EC8971DBF1E7E09C1F0,SHA256=896F881A71FD0CFB6856B34EF6C84A9C7956E90735B261A088BA1F00620936B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DB650C50234CCBF23C732D3F9192B75E,SHA256=637205BE77DA2D84F69EB16018BAFCD822EEFB98667DD2FD8509B18F0CC275B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=54083AAF667D5207BB677FC560800F19,SHA256=1E2C60BAEFA2AB8312FBF2BD938DE5668FBAF320B2B0780559C91AC567CEB68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9294C09034F3BD53B05D43D471BD1B1F,SHA256=04D7910538822B972C3AA4D1AC77750D3518A90A5FE30C76A311F6CADDA15B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=11F4D2C9B6987D57EE9E05AD6A31659A,SHA256=FCB12CA28F3FA0EB22F4C5F97F39C2A3DEA8A3AA168C6B2386906B423FB5D2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A329AD5F3F4C6559C3E04A5E6C12F2F5,SHA256=91F9CF6ADD8269287B351E2DF789BC3CFB8C2DC42C3FF233D4157F27128A89CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BD4E2A69C0B8CC4C0D1634546CD0B47E,SHA256=6C418FAC75968B93C8CB91A820603F61E824ECC0A79BA50BF714F02B6D7C3438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=23D7679051045F060FC81EC208C57D73,SHA256=657A4F9874FC08559235D96A5F02BA386B945735F6B76B11C8B1E2917F214781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.667{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=76C6DB9A1F900F7B46409B43D2684FCC,SHA256=552C760F06C9C365899D3F8CBA7872C6133167B037C0A03027F9E51946492C6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:25.377{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51128-false10.0.1.12-8089- 23542300x8000000000000000670546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.266{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C0F711038CCBCD8F8658B33DA3425F,SHA256=6DB3C8D7D089FAB93BBE7CCFAFD6AA8C64C69FD8231532428AB14518E82C7971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:27.049{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D53EFCE4AEDB4CCC66E439ACB5CCE0,SHA256=8088D2F03CA0406EC2F6AE190C9E5445A61B56F8D68C7BFE602205BBC6E821DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:27.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1126368DC18696075CE45AA82E5247C9,SHA256=3D904538775C65429CC60C98505F30AD04B13C5BB77E3227BE0A336D2BF8A1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:28.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB04BFD750D935FA194F0211D6A44018,SHA256=6FBBB862B39DFFEA52B201160B4BA0C150456FEE2D3DF218AF9D663FE3EC76D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:28.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C20C29D7F0594B1B20F094049A867068,SHA256=1A4CC057D0746CA472029C6A838852ACB7BD9197DB23DFAF26A4C208ACE2CC01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:28.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51129-false10.0.1.12-8000- 23542300x8000000000000000670558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:29.181{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C476B4508CB38B8F43250BF5C539ECA,SHA256=37C88568D69809DAD6BA2295511AEC94AE6AAED72D550F3EE4501920B13FAB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:29.096{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71665BD062A84C5E45B054C23067358,SHA256=FC75B9486FA48C53D4E6F5A9A756B2E5BC99F03B5AE55B250F7760E96C89D0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:29.739{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:30.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1A62A466B981957D3223F61DF0FD01,SHA256=CFB49E7DCCD2F319188A29D57A1C626694D66E0A865D4BAEF88CCF76F512C237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:30.725{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8176AD386DE268A2B5AE80841733D956,SHA256=4E2AC6C9308C2D9E9F3A901CF9E4DC5F4CA102A1927539B01ADAB75AA099F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:30.004{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BB6D2B2B93CC5977B812F5DFBA1DC4,SHA256=9AA3BC4E5A247175522E4A3087167528B4521F6B034FB433DB8E525180671E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:31.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DC7DEAE6597C241C5408B15EA8B0E9,SHA256=2D85FA1D87B8581A29E69BF71716EF088F291BD44ECF4D07C639D344B071BA4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:29.354{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52746-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000571986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:31.037{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1317E1EC6B51936D260E3EF16CCF2FE,SHA256=EE731889486E0F9C2A8D2D52E590AD9AB8B89570BC743F73C1CBB667BCD78F5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000571989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:29.809{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52747-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000571988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:32.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9787119CD817AB1209B5D3D29C08C0,SHA256=37DF61083A63A2E0BD64F247EBDE6B953AF31888AA119E97436C8D853EA8BA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=12849F636644AF16A7BBE28AC49A6D13,SHA256=96A54A57EF72DE8209AE628B613A71439EC59106907AC9513D558E233E13F1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B24DE056D9BA1C8042D684ADF2AF57D8,SHA256=F05BC097BC7581C7AC0F875A7F93D32AFED90C9EE39465B5B2E3D39F5D3E12E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=ECA9F6397D91CD8CF550F87429B568E3,SHA256=C55AB820AB3D161F7FEA0FBEE936810319356AFBE14367FFB93FB4F879D247DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9CCF2B283D6BE1FBE185F7C980C883F0,SHA256=A8C86C66F0AB705AA0D4A428AE0E4B116883103F70AE51806DE87A6A55ACBA2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B8AD46A693DD712EDB8E2F45CBADC882,SHA256=906DAFB87FB63C5E5C941A70009EA960C7FFB84867557C745E0CC4776ECF9BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EA888EFD6E081F4014C4F98C4FFEBE1F,SHA256=9AF9897AC5DF7F18BEC855B203F5484222B5754B026728F3AC8481B84234960E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=56B9093ABFCF6CF68BFEF07D1CFC6208,SHA256=7493C58070C899444C156C8A7316521A74D476AB288351DB352D8EBA780BEAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.677{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B4279EF28559D72A7A837DB5F5300189,SHA256=33E0B5B97BB66543813EC3A0A180F7C28156FDCD0880DDDA16C1A069C84781F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:32.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374482B2E7FEDA49CB8EE9D514D5A077,SHA256=8C5F0419BDC0C3FF8F717CF11D4220920ABB09EEBF3E97C8962B0FF87D78A481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:33.068{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B9E657F1E0808C7CB5231D29B54B36,SHA256=BBAA79C6FFF2A6EBAF2390F5E87AE15BACB157A1A5112482FBF9A4D85E0BF1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:33.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639F53E8AB478E103C05FC2978A585B5,SHA256=75BF7C12F18FAB56345C418580081202E041C30CAB22923E20BA3D72AD647F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:34.242{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA92D20A987BF2941EA1EDDD27CCCA7,SHA256=DA92EEB617FFD4CAA1452304394B51966919B608031F136D4079ED6EE3BD6190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:34.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FF32EAC3A36E81B19D01A99E1363B28,SHA256=CAE209A3F8CFB56A3C485B768F4D2D6D09C2376DDE8B9E7131F9E539DA1E41E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:34.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8797C023C5F323A6EFF09FF0ED387F,SHA256=85D13FF80F93B3D1F4E8C30D4FE661AF8964ABEF932D66CD568EA94A47E61B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000571991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:34.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2019F4D423CB9C3BE405C51F2E1D96,SHA256=87A39635CD74AE9C47EF531C371F8EBFBCFF256B65EA6D52D876457028E23EE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:33.485{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51130-false10.0.1.12-8000- 23542300x8000000000000000670575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:35.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC5C95BEE663CC06D819594810FF49EB,SHA256=85FDB7F23D5B40BC61D1B86389063ECD59F25352926837F3E80B523C701D07F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.990{E1BD9FC2-7F0F-609D-E550-00000000BB01}25282552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.865{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.866{E1BD9FC2-7F0F-609D-E550-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.334{E1BD9FC2-7F0F-609D-E450-00000000BB01}2162152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000571995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000571994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.193{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000571993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.194{E1BD9FC2-7F0F-609D-E450-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000571992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.115{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071B3C135BCE47B2ABD85665A07F11C8,SHA256=AC55B069EE0844FF7EC627C904E5A96AA4FB0062D3E307A43F24B2D24D921E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:36.239{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6E6FDB4EF38F36EE456E6634194E02,SHA256=4F107C41D17A74660EB35B083E77096857F73CF12EA08919F64D33119390A57D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.537{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.538{E1BD9FC2-7F10-609D-E650-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5CDEF255320B97DE632FE7CD506697,SHA256=BB81A5E0F05BB5604AD3B724DA13795F538DC8B92F10927B87B4E48663C33F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D683F1D9F3D6A2DC23858493D7B99717,SHA256=764B1C744D69888911BCD484E414B4A3A2F6853A8C5105D971FBCC92FC2FF716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:36.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80755D31A427CCBD28EE6FE9F5823198,SHA256=382E9EDB4E632A4E3F1334CB3A40659DF756613AD23997BB61C6D1214F2E49B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.771{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E5CDEF255320B97DE632FE7CD506697,SHA256=BB81A5E0F05BB5604AD3B724DA13795F538DC8B92F10927B87B4E48663C33F03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:35.700{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52748-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9671643C7AA19A7722F71A9C52E4FC1,SHA256=21F099AF90CD6D7988D52A07D916049C3374DFB723BE0BB8A493456A34B23F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:37.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF185CB4E73809E7328BB658046BBF99,SHA256=92FD2F5E3569199950F6C1A90A110A6B7AC59F4121EE9A997ED745E8AC36E52E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.334{E1BD9FC2-7F11-609D-E750-00000000BB01}19641168C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.209{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:37.210{E1BD9FC2-7F11-609D-E750-00000000BB01}1964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:38.521{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76534D804672C60629CB4A9EA69E8107,SHA256=7E2E63088E5A5696F3C496355B9DE3899C5E6D400E18AC8794C6F7A7FA5D0C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:38.337{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBFF0044C3A04F8A559F39C08FEADBD,SHA256=EA19693B5071FE4616E6CA694C98438AD94064697B0EEE36C79C428538A0F284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:39.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E84AE3A34C1357616C0619192CE32,SHA256=0376B5B5EF6C34CFA18DB8D9260D6E503B69BF87670109A527ECBEF046BD282B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:39.355{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5723E9E6769BD4706E9ECD29122B59BA,SHA256=E27AC153D979DA6F7F1D7FFBFEE36B0114F6ED4A6FA7E07214444627DE56B9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:40.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3119297714CEC0895AFEA9D3A7A4D1,SHA256=E97A64CDA490E4C805F7CBE973006778257C4BE7F347084DA912B44B31E7226F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:39.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51131-false10.0.1.12-8000- 23542300x8000000000000000670583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:40.385{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=536DADF69FE5F31C4CE269FFDF990782,SHA256=6265EB323EA9F1C5C4B18411AF9DA4CE914929D83BD81B61841DFC4F7624C1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:40.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A9A2E773EC9C4EFE63925BA4A0FB42,SHA256=E87EFA792CD704A24DC70D32C9BFCE1F407E59DB26F58472A67A6C336A0645E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:40.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DA92D20A987BF2941EA1EDDD27CCCA7,SHA256=DA92EEB617FFD4CAA1452304394B51966919B608031F136D4079ED6EE3BD6190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:41.399{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D89A5106A98A7E26814CF2944352DE2,SHA256=56320E19E08184EDEB9641CDA4AE8C58A3A186EE7B9B4EE67884856865B4C1D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:41.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B46D37275B435ADAF60C696201F4EE,SHA256=DDF3E8FFF8D63009533C8819EB6930C6D9B35AAD83776A517C783C9BA78B55FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:42.433{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EEF9CCB87CE00B8682A6D4840D1A1A,SHA256=BED9770A19E2DC90EBE34E44F4F35AC9E138D67CD6B7C4B8830242F68FF3D601,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:40.871{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52749-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:42.568{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82C283407238130C2A045A1A9299B5D,SHA256=B4EEBF9757DA01C1D8A069F04099FD690063DA45F9F971D42150C33F21DA3DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:42.268{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85A9A2E773EC9C4EFE63925BA4A0FB42,SHA256=E87EFA792CD704A24DC70D32C9BFCE1F407E59DB26F58472A67A6C336A0645E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:42.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4AFF2F1BE518F213F2CE03808D7AB16,SHA256=F9DD8A3DEE25E648309FBC4D709AF71A212930DADCEC70381501BEC75DC8DAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:43.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00FFC99B7A157DB559E04B11F3F1B72,SHA256=0383F4610ADCFB567593227C82B3B3AF03FA04F3E1DD220855DF50B6704FAC69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:43.451{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2961E7628FAC3BC728B47D98419E1F,SHA256=19ED94560AC00F0450EBC20D50EB56F498C00320B4F4A9A9849241936B0160A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:44.631{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=457471183B18953B0B1A139469F723C9,SHA256=5CA736D3F6DD2708D835609E84D8947141CB59D9CFDE0190BEDC8644AE5F1BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:44.465{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1B9F8B2099CD8E24FED35FF4EF6B41,SHA256=B6DFC8883CC10B11FE4508045C3C4C16FD156D4F90EE849128A4933AF68328C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:45.646{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E3A5F69CC81236115BF750E34DCAC5B,SHA256=1D0F5A9595A52B71D382691A1C7C86CE8D40F01E7E367E36E7789E4F3E286252,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:44.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51132-false10.0.1.12-8000- 10341000x8000000000000000670607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.634{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.631{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.631{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.631{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.630{7B03F3B2-7F19-609D-DE55-00000000BA01}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.466{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED4DEFFCF60FFA1055EA56E92ED6832,SHA256=230A3446271027AEEE6EEEF6E48AB85A0FD43141777956F4D9BDBAFFE87BBF25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.181{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB11D4F050CAF8E9B71E603D934FD8F0,SHA256=B7B5122B381A69FD70733A309946C441CC4C667F3E4C3644EB452716ECCE5B92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.065{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:45.066{7B03F3B2-7F19-609D-DD55-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:46.663{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8B2D61438A6E0CF94F38ABE664A815,SHA256=78B4DA75C960480D448FBFE9EDFFBA8A28765AF4B07489EFF4C3DC19A2981755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.481{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB63A23E6BD31AF2B9E0C01255AE841,SHA256=CA8EDD1ED4017C9E24681211CD4700E72BEB48A6D76BB3198B1061A2EF71FFC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.465{7B03F3B2-7F1A-609D-DF55-00000000BA01}68084024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.327{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA22F76E379131E7CFAC0EDBEFA83FB4,SHA256=C4A74E65432DAB0536FE286D5F88EE35DF0B1877EEF5689C8E173B0A1ABBB899,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.307{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:46.308{7B03F3B2-7F1A-609D-DF55-00000000BA01}6808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:47.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C13A6346C790AC33061CC48F132C6F,SHA256=9C9A1A7AEB82964312F2643EE779225F3E58C49BE0B40863CBC5C7442BF94B35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.882{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.883{7B03F3B2-7F1B-609D-E155-00000000BA01}6776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.482{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5966D9C4DB7824CB9C2191D00F2B20BA,SHA256=89412B8C19FA38EBF117809EA629F9E0BC1138D10F0B441599E08E8D5F1C6ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.398{7B03F3B2-7F1B-609D-E055-00000000BA01}72287868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.336{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F02E584BCA129B95DC64F63F8FAFE4B,SHA256=B0FE9CE8A5345CAF74FDB8DC8DEF7CA4058E5E98F4499267B78B956D4D78570E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.198{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:47.199{7B03F3B2-7F1B-609D-E055-00000000BA01}7228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:46.716{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52750-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:48.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C19F691BB28EC3CB432CB5F6053FD1E,SHA256=A1D57238C3E17B0D96F887DF4A05167720E94DEE598FDAE1DEEBDC3398EED15E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CA1FD358CFDB9B6086556D4C199BDC11,SHA256=CDD671F28E06F222CCCA992EF5E93B81F70CB2D5B3D65B1DF3E627592279F9BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=369EE1AC8CA4ACA3F6DFD850E3F661A8,SHA256=270AA68E59057D23007BC819D18DA4399CC6F16404CF71FF86080F988A5B1E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=12687E8A93A3A899992CB26BAF1CE4AD,SHA256=FC09C31043FFCAC48997426F63F823BC95A0AC8AC7DA00E62649E49C3E21E64F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3C0B1779FFA9A9B8977D89391792930C,SHA256=60954CC76E519EC6CA4BECDE5B0BB728174B8108FB6DC7FDC3C042CBE13E9E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B45BE1B57F89C0F7AA48AE4F7A5CD3DA,SHA256=B2DFC9699A6EEFFC71E4B790EED49A973AC05AAA0EBC417E4B20B09370E9377A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=766F5FD9A4E2CB4EE0915EEE8D13A21C,SHA256=80F84C4C6A76FE6AA98B74B6CA68B110AF6B4ED29A3C56DC2F72A7ECE0463684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=656DA559066D156C6E8A867C1C837900,SHA256=6ED568B972FC5AECB3186F2BD84330EBC5FD4210319704BA200CA1B311ACB8C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.662{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AA8059246A21FD59D466079752703F12,SHA256=D505237C2ED78194FF94D14CCCCDFB299E79BA208950B664A8CAAA47C06A7C24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.493{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AE244381C4B69E0D55EE5586EBBA86,SHA256=B1F04E823E5572E269D0452308D081912DC59A88A3F6AAE27E4CE053A421D423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:48.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD5B79FFEEAC5A5468C997A4A4CFF27,SHA256=63643942F80D9A2868061979957E99922D3D5C5E0A351F4346ED3309DD07A47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:48.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC958DD0C3A4D88432EA44FDBAB0BB20,SHA256=EBA73D5F74AACD8FD2968A61E9AD0973F397988FC6AA160D78D96189A494B760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=509327FB5CC9E8C901B53B48C20CC23F,SHA256=6935368CE54527592B15A6DDDBA504607938F5DD1B08E01561A892BB41F6C4A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:48.127{7B03F3B2-7F1B-609D-E155-00000000BA01}67764520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:49.695{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6646455F0F0B48ED1D03EEE06FD6E6D,SHA256=2EAC36BD8B3092289B272A2B19D65451040432FF8740BD6E92F03FD9831E91DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:49.524{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB28D3E94D6924E3011896E04678785,SHA256=DED5BDB9620AAC355B16E13998B76289D7BE2B544468D0B2F7DA29E3A4126A15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:50.758{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E439A96E5BAB1FAB59A64037385E18A,SHA256=8943B56BC8A699B54CE6125241A04858EA0291620B4F0D573D8CFAF367E03D15,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.822{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.823{7B03F3B2-7F1E-609D-E255-00000000BA01}7448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.540{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C1935E83E789665D4308EE33C52D47,SHA256=A944D2EBAB7DC0F074B00472030AC6D4831EA149F389A702E94F2D5B85F6E94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:51.789{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9C5CA813E054FD267BFCC5B9ABDE86,SHA256=6A3890F3C4934080345DF9B77AF5C84406BC46C57550C1108189E1EC3BF8230F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:50.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51133-false10.0.1.12-8000- 23542300x8000000000000000670670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.546{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA18B1415A1517423AB2AD03BE234E1,SHA256=C874839E9AAFE98CB300FA8CB0C087C9114B960A8C81621FF70743909845712B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.493{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.494{7B03F3B2-7F1F-609D-E355-00000000BA01}712C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.192{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EFBDB5771CC0BDC86D653A9FEA59E8D,SHA256=0021B8C4DFD67889D76BAFD8E3E727F1D1D697E00800626AB3EBA7B5F6F0833A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:51.077{7B03F3B2-7F1E-609D-E255-00000000BA01}74487612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:52.805{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25E39B3027BE8E949D49EC76ADD4613,SHA256=00A207E5CB5E26D76C9718F1A20FA13096CE6E0D162793856E67D452EC22CA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:52.553{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA1E191CA40FFC7B2253F531C7BA308,SHA256=16D0BE83FECC79D8C3F9AC23FCB1B6A50FAFFA855E207D45260907FA648D7656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:52.506{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=746035797CF18E101C515E07DD6C0A70,SHA256=1E375C03D1D43F0D1B8E963253ADC3A00B37AA5D639AA07445B0CAF192FF5A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:53.852{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08ADBD24FD740CB41AFF7AD32095D7B6,SHA256=FC19080777715C3058D9CE80787DE237ED3647BA12C2B92823493ACF0C09DF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:53.570{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B30260AB22EA60BCAC7C6E812EFA622,SHA256=87CC02223FD31F74E53081666319349941B102A6ADC314C81D055EB98A0AE829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:53.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B821FCF3BA4FCFF0DD22864BB5FA15,SHA256=3BC34318B1ECF02AAD97D469240088109F815E82DDC99484B34BF6859A1ADAF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:53.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAD5B79FFEEAC5A5468C997A4A4CFF27,SHA256=63643942F80D9A2868061979957E99922D3D5C5E0A351F4346ED3309DD07A47E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:53.536{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6416BB0E03B1EFB3D10CC1907F823B7A,SHA256=26F95C66646A8A007C5D98864939014E5654FB5DA8424C9EC8EC4052BAD0A718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:54.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E36BF55F0AE955CE053648D105A0DDA,SHA256=70551CFA25B760C963850CF5BD14CF98E13E94C4796CE8FD45AEAC4C647A0A98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:54.588{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9BE8A3F27DC325D1236590E70DFF3D,SHA256=CAD4036CA0284E5DED1A6462CC2BA8411E937AD559592CA6654449EFF5BE1CCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:51.764{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52751-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:55.961{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF302D18498D8423FE08732E3518E88E,SHA256=5130DFA90F846569D5E1FBB7CFBB37118144370B923ACC722812D866F621C317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:55.620{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0650AB87DBFABD84EA691736795D5433,SHA256=7BA5CF1B67B0AEAB436C1D04162CA192EC41DCA4D5C40F906DDAC1421FFDD89D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:56.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D60818B48D1ABA127C388BD178CDA3A5,SHA256=E6214B2ECA19B557C00D27225A9E595A2570E8E212078B224C3905EB6E7FCCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:56.634{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B2520CEE837CEB243425CA610B80CDB,SHA256=C4DBD8380748B54B2F1956B746BBED6A5B06A4181CC4E217235F12E29FA08F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:56.188{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BEEDC4508E833A83E3486CE2C7CC667,SHA256=8A7A9B596FF69A6FFFA900374C906A1CCF9447BDCDCB56167BD709D3F3A0E0EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:57.992{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B9D61079EAD1D0EAFBAE768771916E,SHA256=B49947EA7888F2AC6537EFD738B0291D0F040CF6D039E05FAEBAECA999675F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:57.635{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595A3A2DD12483CDD8AA4AE4B49391E5,SHA256=8C186487EBBD946B99722F7AF7CB86E1223B06F69076A019BAED69D647162CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:58.637{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4BA93A40104249BE5E010A64AD1255,SHA256=76F72D1C1C207D4C67F18985FE510C5D929F1B29F8D7D9A563884F1CEE4C38EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:58.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D46B0E55EDD5D56FE9F4CC8B78F7396,SHA256=337EF914BA20A2F7C9955CCC13FD09E45342B3E39A4D7372C0BEE95D561F79F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:58.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93B821FCF3BA4FCFF0DD22864BB5FA15,SHA256=3BC34318B1ECF02AAD97D469240088109F815E82DDC99484B34BF6859A1ADAF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:55.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51134-false10.0.1.12-8000- 23542300x8000000000000000670683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:33:59.652{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475389A861BD1BB972FD3E3FEBCD2622,SHA256=3A6555C46EF795C80C9B2B85A5065CC50C52D22EF22B9DFD14159FC63557676A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:56.796{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52752-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:33:59.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0C8017490B1B295A84CC6E1144BAF0,SHA256=041C3C0A2954D862DF4D9F87017F56CA95A629B572298051BD663C9B40834A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:00.668{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937656435F713EA3D46165A2D7F83A22,SHA256=94BD557B9EADA9E83A3115B41967EA2FD99AB5BC11650A06800D279B841F0634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:00.055{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F925F8AA1EA718CCC8926AB069AAD0B,SHA256=2E92FF57AB2E114699E4479384A782B3CB908B5AA18E1986FDB1887A5E877B2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:00.450{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51135-false10.0.1.12-8000- 23542300x8000000000000000670687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:01.687{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69762834149FFBD9A894437E10600E7,SHA256=5E3D78579FF5D9F1E07864AB13D4733FD3C0A026E684BFCFF9F72D708868ADFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:01.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF4AF3CCFE8BA1619D9DD3CB749CC05,SHA256=11996E12824BAC954B97234E50CF45912A0E85F2B8257776BF5FE22A872C8689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:01.234{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D430D55689F33C4CAC1B54FBBF564CE,SHA256=38DE7FF70F14CF5D56DB629561553A39B3BC84345A8DB583AE7C348FBA2EDF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:01.234{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE1B89B1A417E20B32126667510F4FF,SHA256=BC8122A7B3A13C0FF000FDA2D6C190B120C24B06640856615E3F04BE16398638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:02.703{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCEBACFF6BF7D5AC3A20196ABCD76D21,SHA256=121E3D5F9219DCB9C3F33BE807B0B04846B079E2360197BE50E56E79800125D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:02.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054C6C9C332CCE9FD6E16B0EFB8ED965,SHA256=CBA35692079FF32174923C153F4C187124F45B6C247AD45CE2E4CD540AC6323D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:02.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D430D55689F33C4CAC1B54FBBF564CE,SHA256=38DE7FF70F14CF5D56DB629561553A39B3BC84345A8DB583AE7C348FBA2EDF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:03.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3F3A5C21EDC6E7EA0268540114A46F,SHA256=A03B6EBF7DA3BF93BEB16221D82B3FA4DB4F6EDF3CC803F3424BB054FDAF3AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:03.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B86A92C31C4218410CC123163E9F2,SHA256=C58EF291BB46F241678B9DFBDD0DE5447376CEC4B80FB4B01754EDF69410969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:03.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D46B0E55EDD5D56FE9F4CC8B78F7396,SHA256=337EF914BA20A2F7C9955CCC13FD09E45342B3E39A4D7372C0BEE95D561F79F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:03.164{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35428A933B269C630238ADF90ABB6B27,SHA256=9F1C65E68B4375FC3627710B0022378333305E3B4E6165D8C0939921A40C2072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:04.732{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF59C3B21753602D8F3D02A0E1365DED,SHA256=D9FDB8F690503275EB296210175D91C91091995B78F129CC8D9B12B562D53595,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:01.842{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52753-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:04.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6C02891CDB0BDBE681B1D9100196BE,SHA256=4333B2B0F16FE433D45EE8376CE890C75D0C6EFAAAC88C8F5D03006D29DA314A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:05.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC1969B3C900AA3C71A18A8DD19A6E5,SHA256=46F4E56080A3BA1FFC79A893380B42BA079C497B732D3DE0F4AAD3D74CB53C6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:05.211{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9166DF88733DE54FABE3B64AFB6D7DB5,SHA256=AD1353480E48CD714BE8FD737DEB58DFCBEBC9B826697AD63E893B861FBC3634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:06.784{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C0BB979EE2E481672BB6F24E23879E2,SHA256=143A3E4E514738325DA45DA0C597D79509116ED1464D99608107564326A57B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:06.242{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E10336F80C3ADD52F60F65676517E6,SHA256=040476ACF089E6F207DEF3C0BEC9178B1F4440A7DEC2A2E7C6F2033FCBC38B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:06.264{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B067A9E18C018D32644BFDE1A86AB81F,SHA256=F4BA54D8BACF464D577ECC07E8C90385F55D100CD093AC04B491E397F75551A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:07.785{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508EFD8810D74EDB1A0E0D5B77E761BA,SHA256=339A2971398DE9091C0BECC9049E63508E6A2008A927BCF2EDC0ABC51D99ABC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:07.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F1D849479B0BEE81393E33F1A2F33E,SHA256=35AF58229C7074A6D0F2E3E820EE75DA206A78ADB45CEE6B983458118F4A9EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:07.286{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA60ADCF32C6CBEB344C8452AF7E381,SHA256=C81786EFE5D131A6083D60A5E1D27357D98EE8047C2EF235887070B06F898167,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:05.493{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51136-false10.0.1.12-8000- 23542300x8000000000000000670699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:08.801{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F21D2227D43662DADFB7EE1FF1C364,SHA256=551657B3A589155328B17A9EDE090B2DB45592A70FD1851755CDB72CC33668B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:08.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44119C1486C3F5BD9919F1E372EA2069,SHA256=B5D3EB1CCB7E537F7B756D7D066E1A835957917363A6C111AAB96B04D270DBD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:09.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D210176198F33979A73343BFA0A52398,SHA256=F7ACCCD4832F32D19BB97855B1CC0714A897FB13C9413B51DD213B85438DD783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:07.715{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52754-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.474{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=21413888F705151D9C338924607AC714,SHA256=931A9A8B565FB6ECAC49F466A1F61469720C8B22F1B6D3AA0D81DFC6496408DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C234E06F85C62842BC733451093EF8,SHA256=71C7AF9056E13FF3F600078D7477F02871C17BD07A7C42ADB0C718BB43191327,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA7010844630EC7AA7B651C3852D045,SHA256=8FF48511556DD6FBC2895EC722104B1CA01831A9D347812646FF0C3503C266DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:09.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB3B86A92C31C4218410CC123163E9F2,SHA256=C58EF291BB46F241678B9DFBDD0DE5447376CEC4B80FB4B01754EDF69410969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.865{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A347488379C29FF7BB9FB00CC5771F3A,SHA256=7B795A1C050C5C939F4415CE82A4AFBDCA5E8594394635A9897275759F818223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:10.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D20B6E8FD23BCC29A6686EDF252B4A,SHA256=7248B20F22AB68C9D5933B640EA232BB6E89A4A349C346690AEC2E12593B608D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.084{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.084{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.084{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.873{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A168776A4D713A2FE5AFC4C9502B6A,SHA256=0DD2AE5137E3869393B039534029BD022995F32DAC090474A5EAEE39B4868A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:11.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F40E441D8144A9F417BEBF8FD53F5B53,SHA256=39354B913524F1907F992693B013853C096300AAD13371E3C8C326AF19D713D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.108{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADAD6E8CA6C517B59D955F82B5C8D605,SHA256=D2A049E50FF62015228DEB5A66BF03923BB89D00DBC608EC0DECF767E627EF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C145C4D5E2C35FD12561ED0E19132289,SHA256=79D44ED3EB87BA76E1F3488B4ECD9D71D87F354B2066BC4F69B4F4C5EF377C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.093{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=099AA66755E3EFC7ED12B8D2D756543D,SHA256=0FACF2F5C750CAB0C859B857FF22C0EE2BE59BBF16940110F349DA12B92B3B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:12.890{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6A336A9C1BCFEA53ABEFB31213AA25,SHA256=AF4C1D3BE6856FF9800D52958F1434C58938DA22DC4D04703DB69427C429180F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:12.412{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD095AC2C4B4D9D682775FAC21C0157,SHA256=8A67E566872808B9E9B7B7D50C0069180D428E73C458CD4059654F2B8B56A6D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.350{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-18.attackrange.local51137-false8.240.38.126-80http 354300x8000000000000000670710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:10.341{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54980- 23542300x8000000000000000670709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:12.191{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AEE2CF00636F965E7A4E3F8C6052994,SHA256=BE533C17224589FA81C7656B9881B8348C88168013FD05A828B0B9ECEB06F1CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:13.905{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21564AB43CBDA726366886DA286003C,SHA256=A67159126E998432F8E9133FC06023A0CB97EC73139A4E691E385ADA9DB9589A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:13.443{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81AB95BD768CD9C14D504F9D5C6AD0C,SHA256=4FC0C03E152B2428CB4C1855B3421A7E535A2B4B10FE19B409F59636CCE0AC34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:11.416{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51138-false10.0.1.12-8000- 23542300x8000000000000000670717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:14.920{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A552620B0770841A0B6682ED79E2C6F3,SHA256=D5536AF509D483178264B4A469E1731FDF306455CA14BBA2D144764621976984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:14.443{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965DC9E9C17CBA3C675D7D387A6C3A43,SHA256=877B1A7F0643C361DE0C486A9F95E80E6C2F9598C1DD51CA43FDA08A0C742F72,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000670716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:14.220{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000670715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:14.220{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=5906967C1034B0D6EB40F53FCBFFA07F,SHA256=9C1BE92930D16E7E37F376A15B616970B55FA82800ED038AFCE5F9B80B640BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:14.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5498F67CDFAD47241AF2E65B936A0A,SHA256=296B38AE01353F87825439B300DEFC1853EB343C3A6860C7D0CADA4D9802B453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:14.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BA7010844630EC7AA7B651C3852D045,SHA256=8FF48511556DD6FBC2895EC722104B1CA01831A9D347812646FF0C3503C266DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:15.949{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D7B07337A4B69674F1B01B2C0E7DF5,SHA256=C0806FA99B508F71942685A706380E66E6DAC2071E453003675350DEBE1E29EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:12.824{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52755-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:15.490{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0413D62B6B7657A16C5F7FE8E775DB,SHA256=3A08CDEF80A1045F80188246788A6962AA66C382515093186CBD7C0AB621AEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:16.951{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5BC1C2CBAEBB05969893FE5C65C395,SHA256=6412C6D2A88C237CE9194F85EF2D8E7671427DA8C974A2964D663C2320347343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:16.615{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4588EE786C35784B46F9E7B8EEB643AE,SHA256=24F159827D195EABB258D3D153D18366612AB44DD3A8054018DD731D077F635B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:17.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=315F1202F1B4734F63CE28F2AF79E015,SHA256=24EE77B414064CB3A8C7071D9F2804A7CCE1B2B554425B45949D3973254A6F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.646{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9DD4655745B4853FC1B701EEE49D38,SHA256=0379AA230037F6E6802196B99A81858998D0851D96E846D609F46770CA9C8298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:17.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7E804C76DFEC9DA97B92B1957D656B,SHA256=20F35AFE7EAD0EEF06203C548CC3D6A66ADF6421FC4A6D02B9A580ACCCE72A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:17.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D64D0F7B92BD1170B5682510A5EF77A,SHA256=0307810FD2219E93A024AF1165117B70F4E1A7DB6CA3E39B258348295F64E2DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4BF469587FAACEA227339B31C1BB287,SHA256=EB916CFCABE9BD0B6C9D825FEA2C10046BE299B7D7010DB78E759E41CAD63DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.396{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E481D82249C8DC07AB59646C6802CF2F,SHA256=0C7A943254953900ABF5BF565299E0FC36A66FCA4FC88D8EE12E6F2F45330D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:18.988{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43345008732D2772A31BDCB2BC61CB16,SHA256=447A5873C6C5C0F9A161A8929F3E15841F4ED1300E08D87F0209B75662454545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:18.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3777C5A7885C1BB1048D721CDB4DEE9,SHA256=4ED2E642D95470DE3AC93B6F1618D75093F9C4B8C53086B8D42EA181D73114C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:19.662{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC09DC22F5ECF44D5DC1C55E046E1F79,SHA256=292A9D66E15A9F14703BF91A4B288050B2B2B164E70012D82BF43DDA35387654,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:16.479{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51139-false10.0.1.12-8000- 23542300x8000000000000000572118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:19.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B64076371FF0681BDDA2CFABB7684C5D,SHA256=9BC81DCE92F7425E226497B6D9F710EEF5B77260E2937EDD9586FF0BD5659421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:19.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D5498F67CDFAD47241AF2E65B936A0A,SHA256=296B38AE01353F87825439B300DEFC1853EB343C3A6860C7D0CADA4D9802B453,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:17.887{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52756-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:20.677{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3593A6E28C04F9754254887EBED948CA,SHA256=D5DF397441EB88D26B6FCA9BCABBEFEC05BF29EAC22375254211C337AA95E486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:20.003{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4555840D090DB38839121473796446,SHA256=2CF04298E32D793FAF02C1413C6A361956255166665E2A2A2B29F43398E9FB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:21.678{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4484801A6D497DB8A72FEEF90696F2DF,SHA256=07364B7199262933F3D454E4B7A9ED988D651B9832C9E2338598B8F97F0D46E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:21.017{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=912E34891568A526224F749FA0B30DD4,SHA256=116C9FF293DE1F55C7C9C4D0858A925303262E97C4F93599DEDA521D2087FE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:22.693{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B0F4833491F94414353E0CABDA5584,SHA256=E6FC0E8F1CBF5B4D4BD2B5E246809EDBB6A448ABF00C93FECBC3F6AE78719C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A15E9A02312E07BD61301A0FF998702,SHA256=E9362C47115CAB61D2968E6DD6B577BBAB3AF8442B6FDB796BE0A7661B9C09DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC7E804C76DFEC9DA97B92B1957D656B,SHA256=20F35AFE7EAD0EEF06203C548CC3D6A66ADF6421FC4A6D02B9A580ACCCE72A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D81E16BFC90F43B5AC3919B81382BBB1,SHA256=E0FA6191DCFDCD8C53DF1976B8AEF8F7FDA3684FCC11FE6BF58109D008C501B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:23.724{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A964D1D38D7C5AC11DAEE388EAE5FCC0,SHA256=316E8202F9576218E17A907B3C6690FFB70377996A30AF530BD6A55C80212115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:23.084{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC8744481F52C681781F38CC8B7C8738,SHA256=AC3D2C0C228112CE56B7F90173C7368062F5A0DCF3FD0A5D4523B9F4F2E20AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:24.756{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB74EDA826D033352356BE763349B13F,SHA256=9E1F5E7F45115C0AC64BC89615BDDC04389A719F7EC4747B9E4423C2E6348644,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:22.309{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51140-false10.0.1.12-8000- 23542300x8000000000000000670731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:24.130{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245832A51B9A5D2BE3862F24A9573CEE,SHA256=A9E130317290588E25465DC21E0CA0BB78EF845D0C50CD18BBA388FED40FD7FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.834{E1BD9FC2-7F41-609D-E850-00000000BB01}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.818{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35E329A46EAAE4DEC7A1235DF1BD64C,SHA256=974ADE5701D9259D29904213A50056C8061BD75FC93D97FD9EFE0F989B1727A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:24.445{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51141-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000670736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:24.445{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51141-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000670735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.213{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A15E9A02312E07BD61301A0FF998702,SHA256=E9362C47115CAB61D2968E6DD6B577BBAB3AF8442B6FDB796BE0A7661B9C09DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.182{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.144{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E8F4D2708984465B771684EC13B7A4,SHA256=D81AC845AD27921A8351EB0C38373305126707E3F798FD4C67F84644163BF474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C732CE2CC6DCA3FF033D5AB539A6AAC,SHA256=6696318B7D7EABB1313E773402CD6C411D62F151749676AAB55117C00FC8A293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:25.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B64076371FF0681BDDA2CFABB7684C5D,SHA256=9BC81DCE92F7425E226497B6D9F710EEF5B77260E2937EDD9586FF0BD5659421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:26.813{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:26.813{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=4CC08D40D007DCD6A104F5AB504C9B9F,SHA256=96236FD9E8F959F7DC929B70221C6328C113A96FC7071155E5436A22EFB8B0BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:25.406{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51142-false10.0.1.12-8089- 23542300x8000000000000000670738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:26.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06777BF29951812187CECEFBBE91D905,SHA256=ABFBB63077EF204A15CFE301BCC6613ACA03BE983A60A4AFE8C6C5FC389632D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.502{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:26.503{E1BD9FC2-7F42-609D-E950-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:27.313{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45FD2077F2C56B0392ADDF686A151165,SHA256=C2AE10C9823C4DA7F6918DCD88BB5D6D5EFD05D52CF3199EDE1701596B4CB031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:27.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F5332E7F092C3135105C8AAF25CB0F7,SHA256=DF92FA880248D2C923C1B2CA89AEDBCE569AFB219AE14EF2D1333D33ED8BF30F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.299{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.299{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2139F97107DB6E7098E73A803D791557,SHA256=AD5FBA736D2E397CC61ECC7E4F6357D7D4530128AF3063EA6B1C9BCD1EC23C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.299{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C732CE2CC6DCA3FF033D5AB539A6AAC,SHA256=6696318B7D7EABB1313E773402CD6C411D62F151749676AAB55117C00FC8A293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:27.174{E1BD9FC2-7F43-609D-EA50-00000000BB01}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:23.637{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52757-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:28.174{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51557CB86FC373ABEAEF8E6AD00108C6,SHA256=5E03B32C46FED0C434A7815CD1FDEDE76FD220DB90FC8DCC5BF7974D83CB0F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:28.080{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAB0DB9A951AC6F20880B09A84F2A27,SHA256=0C588DC034144932D4156F5194E5D03C5616A9717FB9BDC1F8F92302F9B4F0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:27.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51143-false10.0.1.12-8000- 23542300x8000000000000000670744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:28.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAC756A221262DD99243F705C43BACD,SHA256=1A2B1469CF8DF91D17BA5470F18DD334B682F602BDC16F021E07F5B7E68D2DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:29.211{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72410A362D2DC048CAD95A0585AE27F5,SHA256=2BF12A1EF9D193D73865E54548F224220751FB156629CBF70AB0DFC8AE5AF2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:29.768{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:29.096{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E028DB3FB183217B46ECD1CB693D6EDD,SHA256=02A1A68268E9CFADB1EDAA5B94CC3D4632EB49902649B5DA245612701F38CE45,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000670750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:34:30.541{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000670749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:34:30.525{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000670748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:34:30.525{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000670747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88FA3D861CE2F12BB8F9C986FD83752,SHA256=5CC1B96D23A52C78371FE02FE3F5CA4E0BC2941DBE0C6E412D3146310A0AE306,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:29.383{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52759-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x8000000000000000572178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:28.649{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52758-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:30.109{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9047A5ECE5CDBA96DFCAE894F041C97D,SHA256=E7CE09DFB1D4DC272679100F81ED80E5655724187304919A5E117E132605286D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:30.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C72FE8ACF77DF2053E9EBA3CEB23D14,SHA256=14CAECBCD1535ECA6E2B5007D44CF9EBF867EC4B7C072A0E134E972D68AFE1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:31.640{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F2B77DC934E1BC1E2FB9F1F125539C2,SHA256=FC40C9D4E1EDAEFBB63B9921A0094C2F3E363D55406F870685FC29105029C869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:31.261{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322761FB61893A1D5C8B3E4A4A351070,SHA256=3F92B1537686BD703E224763C3F54C718299B021DF3DB5B7419E2B636EC47E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:31.126{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA5E22790DD6968B1D4F9447084E5F8,SHA256=6AA361DE7B6E0F5C3D9217805B729CE1C8C5A353864141A691D0D2ADB6946560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:32.188{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4428FAEE7A5B13D77E4ADB89B4BBCD29,SHA256=2A28489B469F23F68A77E8782D41676C10B0F33B67E7EBBB78EEAFEA4210DF13,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.796{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51146-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.796{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51146-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.789{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51145-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.789{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51145-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000670755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.773{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51144-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000670754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:30.772{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51144-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000670753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:32.276{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDD55D7740754D1731A034A2454371D,SHA256=0728666BFDD32E042C5A70DF5718C4D47E7A9D14CD14307AC64C5717C59F7F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:33.251{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A5431F9A498613E652734F61A773F3,SHA256=560A0E35CA4B9335CD59D23B7107FEA56A244F2F9E9554BF27E20E9DAD2B6EBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:32.354{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51147-false10.0.1.12-8000- 23542300x8000000000000000670761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC79ECED4C077C5DC28D73B597EEE67F,SHA256=379E6A49160D8C08C55C294632C21075F8296B511426ABABAD24C03C1CE02F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.122{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69C122082A006E2A00771DDA3E1771F4,SHA256=3DC1DE06C93DC35CCC1A547E36538E0C423A70CBB133E050D2F2DFFEE91EFBE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.426{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local57873-false10.0.1.14win-dc-18.attackrange.local53domain 354300x8000000000000000670768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.426{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.14win-dc-18.attackrange.local57873- 354300x8000000000000000670767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.426{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c890:a4f4:8987:ffff-57873-truea00:10e:7419:488b:cfff:1521:8400:89-53domain 354300x8000000000000000670766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.425{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57100- 354300x8000000000000000670765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:33.424{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local64203-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domain 23542300x8000000000000000670764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:34.305{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E785DC328394686EA9C3A256BBF9F02,SHA256=F5BB4E83D3EEC4F5128C9CCF1FB76D2C1BF908856522D416D037E090921CDBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:34.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE6DEFF04535507F09968D2E6867EDF4,SHA256=DB94A9D5AF0E1F3BB12B0D8B8ABD99D8BFEB3B956BFC39B7341CD03039F8CF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:34.205{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34D1925581A3949800A9CC8E5154B5B8,SHA256=38EA58E41AA0AFCCC2D3FFF812CDF526D357AD82A85FE78EE0C24F880B3E5E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:35.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9956581E8BA0F5BA7F5D1C9F7F790795,SHA256=9FB4A88AFF196A615F2DFB85BAC7D701A877127E7EADDF97555AB6F55E03E8B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.876{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.877{E1BD9FC2-7F4B-609D-EC50-00000000BB01}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.329{E1BD9FC2-7F4B-609D-EB50-00000000BB01}32564024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838EAE69999C931EB5AF60824C96FE2F,SHA256=57CD9988DEF69E46A7724051574184BE9DF9274A32BFDE14CC9278D4A0B683D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.204{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:35.205{E1BD9FC2-7F4B-609D-EB50-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:36.334{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8FF3054B9447E3BDF840C2EAE5E8EA0,SHA256=A525B79E031B1A75C3F7650F5720F58C33675C9FD425ED7F2A97F8AB43679E56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.641{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.516{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.518{E1BD9FC2-7F4C-609D-ED50-00000000BB01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71A51336AF55A6A4AF38EE5E2B8EFA4,SHA256=E904C40A35E51FCFC9173FD022EC79628BBB3C274F95EC2E890E9FBF12412992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=300DEE8736BC50F7F27B82DF9BB5400A,SHA256=4BECC94E1D0B6D7E43AC425E11971352E4E06A1BFC2ED30F961B5AF2BE8D24A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=625CAD1AC0310454DF2E1931586FF772,SHA256=058543D3DA6530E5C33BA6E0C18E7FA2D366EE9B2635E9049C42508829D2C865,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:36.001{E1BD9FC2-7F4B-609D-EC50-00000000BB01}39562828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.751{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=300DEE8736BC50F7F27B82DF9BB5400A,SHA256=4BECC94E1D0B6D7E43AC425E11971352E4E06A1BFC2ED30F961B5AF2BE8D24A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.657{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67357005E564189B1DBB766632511D8E,SHA256=78DF9EE2172BA90CC6D2135DDDCAA08B2DF2036EFFFFD51DDA50610A876E7529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:37.354{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD6F9A10F275B0E2DD549E467D40B91,SHA256=6B2B1CEB2060B824353FF9BCADA3D1DE810F0BDDEFE6898A4FFA8BBBB45E5316,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.188{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:37.189{E1BD9FC2-7F4D-609D-EE50-00000000BB01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:34.679{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52760-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:38.673{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3564429F87D93C7878D38C038A1C54,SHA256=AEBB5DAD73390D979EF7D5458A50FF7E7FC8B0CE13BCFF6D5E4EA92A08E98F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:38.374{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4654C113208EF451BA89D608E785567E,SHA256=05BA869D77A94E4662A43A8DF2484797F9B6C6686D2921F6824D812FC20E15BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:38.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94D7CFD8C6C6556DED3B2E4CE707CF62,SHA256=959F6898417D62CE7CF16D7C29869DE709577DE216DDE22C4AD65E91F21421E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:39.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747F6FE9987CE194DBBAF30FD4AABBC1,SHA256=C0732537F56B6BF4F652C81AE4CACE245E76D47942F9851271F54C82A47CED6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.904{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000670778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.904{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.904{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa79d253.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:37.379{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51148-false10.0.1.12-8000- 23542300x8000000000000000670775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:39.389{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ACD9CCFB2FF1FD15ADC90C011574839,SHA256=A296A2EE17B4F439E10149EE3D185478009EAD39D0066EE35CBA1BD47F0EA24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:40.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BA0768BE88443021E0E8C93C12DDC1,SHA256=6D3456B8B7791F9030DBD25A58A9EF753F0E07048A31EBED253E81EBFDABCF43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.877{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.877{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.877{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:40.393{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4993473BC662E0352A259C4693A1277A,SHA256=4EE68EA820F552B81D96FC7D5C9841769A2B6A46AC11F0B63D8729AE813999CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:41.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDE77099F64E78A7A1B51FF1E30AEE3,SHA256=30C1D294A6C69E177580FCAACCC09D86C3591FC1F95ACCD1DAA2F6A793A42A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:41.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBFC13944D986CD0FE81B45FA8E72B6,SHA256=3753C0DE5B9EA0F5BF65ADC48A3D4F9CC333DDE2BC8FB596958795D1A51EBA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:41.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B74273E729F8894A82E4777F01F1B9,SHA256=98468127434EE1438C670F23DFD83ADD9A2AFF66688FE022E4D2AEDE09E962E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:42.688{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC747D05FCECBF6A797B29DBD113E1B,SHA256=A1CBB3F4DB92E9E11B7513339007E22F8E5572A0B2E0D675A767A48A5FD3C6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:42.422{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563886760B3F92D7A6417C52914B147A,SHA256=11FBB17FCE9EA634EFF0F2F91684E734F4927363118B204EF277A10356F10F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:39.773{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52761-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:42.322{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A495B98FAD0469174E6DCA79DDCE90A,SHA256=B7FAEB7CE7EA017D05449E5E5886FF0015E01A5169FA1D38D8E77FD3CB8DF82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:43.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F632C6A38C57894F0A86012DB95EE97D,SHA256=19BDE7356933FAF2792ED3AA5F071A05B045C5393A7822B1D274BE6BA7E1D73A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:43.437{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D3C42B1B2443E05E61B24FBD3B46B2,SHA256=21E34CAE73DFB8A2C83F2060C3230B75088D65AB9043C8AAF80A826B4F9E490C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:44.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF869841CD8D6EFE16E8E51DFE4F663,SHA256=B81ED30C6526EC59579EB5BC9A727A8B147B282CDDA8B3FFF046BD73A33F2D19,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:43.383{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51149-false10.0.1.12-8000- 23542300x8000000000000000670789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:44.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90C786D195D490587C75736381E08BC,SHA256=A2E7BDB237EEB42F95587D23F3BAB9CCD077ACA65A5B9013260B8180431E33CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:44.174{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86D4EB1E15B2273BDA62F93D6DC89BD6,SHA256=D18BD34DC9738E9F505D187B84CB0BA306B05E9AC37EB013257659BB88BBC127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:45.735{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C1178B4C9A6091BF6B9BBC09653EC0E,SHA256=82E08C69F19764EDA8DF99922EEB6DD7CF02894AF940ABFB1767B6FDC3DB8B7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:44.322{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55209- 10341000x8000000000000000670808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.755{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.754{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.753{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.752{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.752{7B03F3B2-7F55-609D-E555-00000000BA01}7620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.505{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70CC36F2AAE4EE912C4E4D219A264B39,SHA256=C09BDA262738D710A1C9993FFF72189C7368E54325F932D9F3AD2E365EE9846B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.257{7B03F3B2-7F55-609D-E455-00000000BA01}24164728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.074{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:45.075{7B03F3B2-7F55-609D-E455-00000000BA01}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:46.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2D1E7C51F179496D5B440F6F1DF687,SHA256=FA043F89E6017971F31B6BD200AC43E99628E06DD9630270B734368BC7BEE980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.520{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9891F0E3A353588D574736B6D25D3FB,SHA256=09BA76F40702A1C02F3F8BE73F40C85CF9CD02A2C62866A156DA45EE0A78B2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:46.282{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BD305815CA0CA3BD0BD32EFBC477F9,SHA256=CC839DE6240E22E77A77BA9D0CA81BC95B45F5112CE09070521936312B4D3E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:46.282{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9009432DCE40398EB0271DD3854BDCF9,SHA256=A67662A44A4E6B58A31CD88335B279E0649C51EEE2F98E890E137E77C6FAB743,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.419{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.420{7B03F3B2-7F56-609D-E655-00000000BA01}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:46.088{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FDEFAF7D96FBD983C64BCB54F0A02FB,SHA256=A2C1389CFE16C3ADDC36C1FF75BEF305B60B7B0797FFCB1E71DA5CBD664D4A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:47.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6655218FE94932049D2D63803FB59787,SHA256=84600578FB009FD6FD06C3291C997DC7B2F288D2FC788509E5423BA6D5E97B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.873{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F57-609D-E855-00000000BA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.871{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.871{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.871{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.871{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.871{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F57-609D-E855-00000000BA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.870{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F57-609D-E855-00000000BA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.870{7B03F3B2-7F57-609D-E855-00000000BA01}5888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A592889646F5DE532136CCACB872DBF2,SHA256=3CEFADF36D8EACE9BB37A8A54B7672093FF2D1292B38C830282116CA58EF3EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:44.882{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52762-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000670829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.407{7B03F3B2-7F57-609D-E755-00000000BA01}64163380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.307{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD1781B66D82AE40EE53DE0A0F8E64FB,SHA256=D8A57292CD285003DF7BE234958327B1C9D5B9610950DB0F44361BAD88A813A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F57-609D-E755-00000000BA01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F57-609D-E755-00000000BA01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F57-609D-E755-00000000BA01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:47.208{7B03F3B2-7F57-609D-E755-00000000BA01}6416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:48.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D0264CF04FD6DD99E6871AFA39FDC7,SHA256=555DB5EBB0D8546239F2AD32A52648655B647B76F21CF3706807120A00F72953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:48.524{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C7828283178BE8A1DC80BD6E970FD2,SHA256=5B4BF3D1961BC6D9BC610B36FDC625C723DF36F953F346961ADA1766F041EBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:48.424{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B6A7DEC27D3A4FE399B3703A265DCD1,SHA256=4C4E697EB5720CB2E119B68AA0CD4E0FAAC8AE12F0406B231B018673DCF4D90F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:48.076{7B03F3B2-7F57-609D-E855-00000000BA01}58883848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:49.770{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B524D0E3D8C1FF7347AF0F1DE869F6D,SHA256=EBF80020DCCE95B1EEF9B8DA45157EDCAA663D0068A83C16CDE252F6DC23EB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:49.539{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35453F663A14D1C06D875D74238690A,SHA256=34011CA256EE365CDE105E54619EF620C7CBB38798FC3727303FCFD369DC116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:50.802{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B070552FA7294D23D76F9919C143A1F,SHA256=4493CB3A8A21986E3F5B16EDB5E3EBBD1CACAC5BE2D522C10532375C75366892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F5A-609D-E955-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F5A-609D-E955-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.838{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F5A-609D-E955-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.839{7B03F3B2-7F5A-609D-E955-00000000BA01}7952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:50.553{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D824D552DD9E7C0DEA5F97DD0CC2802A,SHA256=2C8FA36144CFD2EB0319C704E69726743DCE27644742639FB71C22CD2AC32CAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:48.399{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51150-false10.0.1.12-8000- 23542300x8000000000000000572264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:51.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21CEAEFBA4EE9F8CE88E98197EFC0C6,SHA256=5E73FA2508EEB090861422C5CCD883AC0C77CC498B3F4522A72300AA5EE024BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9E9CA1052864A5CB027B4F1D2A2C4D0,SHA256=3171C3E616D4F10F2E4B81A55180FDC59A7EA3A4F812DE77B7605116FB97746A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.575{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34ACBFE99E78C7EE2590200BDFF4C3A9,SHA256=4E46FAFFF0657736E3B8FE632FCF5968C1EE131891AC68A1A6932FD2824FCB6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F5B-609D-EA55-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F5B-609D-EA55-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.522{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F5B-609D-EA55-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.523{7B03F3B2-7F5B-609D-EA55-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000670853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:51.022{7B03F3B2-7F5A-609D-E955-00000000BA01}79527416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:52.880{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2BE9A99E48B01F3C96734465DBE617F,SHA256=5BE03179DFCAC63C1C5B91596220A0B47B20F28DC5B079C9897801E4F570A458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:52.589{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE5F8C3C3FC8D10637CD37B72F794B9,SHA256=54B070BC863779129F7BA9AC92345CE7F513D7DD45E4D3EA18E796558AD894F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:50.730{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52763-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:52.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC9AE3848D2D98E6FC60D355F5558EC,SHA256=F1339EEAF8555F93BAF3D0348E778250564030C950F077CF7E02FF3B90A9F02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:52.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20BD305815CA0CA3BD0BD32EFBC477F9,SHA256=CC839DE6240E22E77A77BA9D0CA81BC95B45F5112CE09070521936312B4D3E43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:53.895{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A3534B906CD174647DEC4FC1E9C3B3,SHA256=9003B25C4B7FBFA2E4BC67A684B3B9E9CDCB8A823B843725CB35AD5D2F6E3F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:53.603{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA8A877C58840378882E4250C114A95,SHA256=9E24F35F1443D5D201D501DB03856ACCBA8D8FF1C81A81E0B01E8DB3B707DD11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:53.550{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C3C675813231834794C1C8FD76200181,SHA256=96C58D6919B4E07221E75C597E7DF6B1D8AB508A1934E9875475DB18F0115B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:54.895{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A774B1B43AD5E5AF0CE5AB787EC9A35,SHA256=534DBC29CC26C6482263503E9275D5CB63C918343B269829B2D557F54FDCD452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:54.617{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871531F037750DA7C1171A1545D15506,SHA256=1D9883F8C1821EC9A1DA4301C817DBB6B6212A011A284637F715BB47703A4984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:54.234{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37A4B45DC461905D43642021C0A077DE,SHA256=A4338AB6409DF649C22758E77EC0C490FBF73FCEFB6D979C1F1FB5B4E1305ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:55.942{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80BCE09B63E47D99DB8007310D8285E3,SHA256=8EACE5102841D25609A6A7BADEC1A37BC6DBED1388575DB88FF14E1381AF2DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:55.632{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF4AC2C6973D6F277B69DF7406F9907,SHA256=D72321991F0CBBEE5B1AD163D245FFC945C518A89B06D7AC88D852A9955E1F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:56.646{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE582DF0CF7EF7CC62944EAB3ABBF6CC,SHA256=2E42D6A3F8E17E72233B93BA64499D74FF34B35D50B2E75C18D14E1D86BB7483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:56.942{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815A73C660A6D668D0B3A85B27D43FFF,SHA256=12FE8406376D6FB9AD78D3A6C6D3A4212ED8A99E19A44AFE7FA363ACB822D0FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:53.450{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51151-false10.0.1.12-8000- 23542300x8000000000000000670872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:57.662{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD924A18A1AA980D9DB77649322A5779,SHA256=C9095BE0D0F3F1224E93153D6D5040BEF63EDFE4A66D5567AD9AFECF0CB19443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:57.958{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC77DEFEDE9829CE9697ECC58363BAA,SHA256=3FC68778421C75928F2254D55A0B8FE5123CE07AF2FDC4E81EAD34EBE1468554,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:55.839{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52764-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:57.223{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E6E45125F89E5F093DA0B41915B6505,SHA256=318FB313F855A77EF7766053F3B1F89E3F9FB4F4DC57CDCD36806E1328F6A9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:57.223{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC9AE3848D2D98E6FC60D355F5558EC,SHA256=F1339EEAF8555F93BAF3D0348E778250564030C950F077CF7E02FF3B90A9F02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:58.973{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0D054FDFD5A2F36850AC083BBA4892,SHA256=5C27C965DA48455D79F61D2D25D5C44C0650653BBACDC054CE9882B80109A4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:58.696{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE9506B4EC1E5CEED67805212098FA7,SHA256=9763DD26BE5BC0B0C5C3DE9BB9B5DDC17202C7C863BC10752492688DB213424E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:34:59.973{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16247772B82682AC5EA65F20B8371543,SHA256=B60224457D2ED36E31220031CD0626CC508B909520799809C388749662EA1FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:59.711{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F9FAC843E1D7029ECFD792ABBCB925D,SHA256=477B5CD842DDA237E1072283C26E063D4731C16096F4FF8DC13ACE2352E4AAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:00.725{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6157FB65E04621949EC4209B0E48E898,SHA256=4774A60DBCF5221D084F5C040737DC5A41D3C4A02EE3225BC577A243CF0557F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:00.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF7D4A29B0595CB2AE630DF094A37996,SHA256=CEB42CF59076FDD45366D7E4E8209E0C36BF629925432AC624F0516C812D90AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:00.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25420D66FAD724FD72AA516A1C78A1B7,SHA256=D95CFFC5206E3FED3E7C536FF9F9DB9E998E362889CD1EC3B5103060286F951E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:01.758{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2A1EAD58702137CBB6A555785772DDA,SHA256=E3E0FE67003B36AF759EA72FFDE14CE3D02FA334A03AD2695D51DA8C547D57BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:01.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46D57191E48A317698C95DABDF3FC42C,SHA256=6085701B4F274F97B59C5A020A12470953FE0566E4FB3857A04B47CB4F148AF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:34:59.357{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51152-false10.0.1.12-8000- 23542300x8000000000000000670881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:02.792{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726A18C44CCD28552F5F041057BF5A0A,SHA256=3BCB84CD8D881130DBCA60DE2EEF4050FCFDDE943F5CB69C7E40954014F649C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:02.083{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76856FF43114CD3BDFB3B4D113756823,SHA256=6313964ADC1C0B90141859AD1484046E102845CFBDCB90EF8999513438F0F030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:02.324{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF7D4A29B0595CB2AE630DF094A37996,SHA256=CEB42CF59076FDD45366D7E4E8209E0C36BF629925432AC624F0516C812D90AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:03.806{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06E53169A87DF474D21A11D8EF7077E,SHA256=5C0836FFF05B7B2A73CD5DC73A52EF7516617516B7616EE113A24C0FAEC4856A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:03.098{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C9BE628751E77ADB3B67EA7C9D1DC2,SHA256=63BB71037AD6DF805D225F08459732C125A53C224BCF753ABF649B6E5F06E9F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:03.083{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D501DD1FC0BE9FAB7E879E757CAB4C8,SHA256=ED3C6C9A11A7B1406378C2F62CFEF72A273B74755280C823F74A45E61911F64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:03.083{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E6E45125F89E5F093DA0B41915B6505,SHA256=318FB313F855A77EF7766053F3B1F89E3F9FB4F4DC57CDCD36806E1328F6A9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:04.854{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425348FDF0527F586EC6C07F1B5DE75D,SHA256=64BBB09BD8A65EE48C6C8DC1918840F2E391B19A9764A58B01797D1B6DD14BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:04.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51065B920D65AA68F741DBB1FF5FBCA0,SHA256=88E1E0F5F25F5F6FDDF1E25DBC9974627FD10CD30EA085B1594DBC03EDA2FD26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:01.652{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52765-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:05.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5783F30626C3D6C8CA91589F50B3553D,SHA256=2B5B59D2CD054FE1D21E906136712E684AD5B264E099ECEB0293E97F50BC3485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:05.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75297EC051D7711BE13947228576B28A,SHA256=742164D8CBE639ED94AA8FE1693BFFBCF432F9EB6D89DF884F6F6468EE694A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:05.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCCDD129D935F9605F4A67633568052C,SHA256=E9AA6EA5D3AC0DEF1665923F2A3B172128DBEEB4E5D8FBA462D7F4AD2ABB63F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:06.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A161D059268DC5055132C4378F4547,SHA256=14003F0C53B968BEDFC96D9ECC4090E173DD79035649412B2A107D08205C9141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:06.255{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA4C74C70DEDC4342AF0A1C3BFF5ECA3,SHA256=24991D829412069646B5FF398C0D9C1FA1023334FD542726386CBD78F8BCD211,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:04.436{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51153-false10.0.1.12-8000- 23542300x8000000000000000670889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:07.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297019FF6AF02ED0822B2D33838CA5C4,SHA256=DF8C2065A117EBB9FDA0404FF0B906DEEA4AD3E78547814FBEE7F876A7733152,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:07.306{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D12DCF20E0AD52948CC3BDF513F9B962,SHA256=C9921E6ACCDED7A3E000D3A92703A0B857DEC75B51F85E6B86925B6A62D8DE7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:07.355{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CDDF934971CDCEE4E1CE6DD43B6A2D9,SHA256=404FE57CB6E61F91803FBAC161E44330DB22605393BF0864F9901C287AEBF6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:08.904{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED818E5B313AFC3DA962B2CD2540725,SHA256=20DBDE214B0BAF63B756117481B865D20CC4CBC8D061520074A39B7C8D5F70A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:08.321{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FF3111CCF2452EBC6D3D02783A63ED3,SHA256=1B3E139C58D71629731276A246FB669BBD53D427ED67367F8DE180651EF85FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:08.321{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D501DD1FC0BE9FAB7E879E757CAB4C8,SHA256=ED3C6C9A11A7B1406378C2F62CFEF72A273B74755280C823F74A45E61911F64A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:08.321{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC4BA34A5772F5EADF589852B46CD7A,SHA256=0068AFF4C0FAA912A1C55F2788E01B35AEFB017CE7A525752E4C6061281FEFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:09.918{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6623ABE13025C111E07164A19D24B90,SHA256=41270421FFB1C27B2C2F7558000D849A3D19267D6D56C0B1F7427D9E7CEF5A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:09.478{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9D9D7D077C75EEE48C2E0406ED7326D5,SHA256=0994ACCB04BB4B520B07959C724FF29370D80613171E6329A01EBC2DB641420A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:09.337{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE32839E7CB8017A8FFA8AA06882951E,SHA256=C021FEF0F0AB282265F76D124716B8080429F08B1DF599938496C377DBD77BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:06.703{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52766-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:10.934{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091E50485BCFA40A75A762AB2BC85767,SHA256=49390DF9864AA341CC8E268962A61B6B6197BABA15DDC6A0D0B020C47FCB0E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:10.415{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5190AA2F443F9A108A57A89625D177B1,SHA256=88473926919239232C50F9821E87512EE8C1241A41FC846D75B5B908D3D0D4D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:11.970{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E05BA75DF55AB6B1744218F5A7FD7E,SHA256=3EE9E0C4B1EEF9FEDAFB29C7226A43576BD1C87D9A3EB67CE36503459BA4E037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:11.478{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C641A269AFA7BC6AC6C78DB348D29F5A,SHA256=7AF5C213EB3545A2A2AEF263673AF0E4370FC025CAED76E2E1654731CEAB50FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:10.299{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51154-false10.0.1.12-8000- 23542300x8000000000000000670893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:11.102{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=297DE8F891BAD7A577CA272ED31482BF,SHA256=421FFFA1E299BC9DF6B7D2E28C84A3C790A635BC911E418B4B5A3F117B2A0AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:12.509{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84CDC5B03A9CD7AEA1B31D24E8305A4,SHA256=A0ECEF066CF12D92F3F75D8464CEFF211B152B39B6EE41C2D9D0532D3DD12CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:13.540{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF01C22116EDD132D0B2CFE26ECC3EC6,SHA256=D3717861DE218B6DCF1435A5C44A6695464C3F1640BD951645A1851E60F6570C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:13.031{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BA81A5E2C6CD60E236BBAB31A55A9A,SHA256=AF3B771C9487517F31E47109887631FD1EDFCDDE52831D8DE22AFA3A5E2ABA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:13.181{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FF3111CCF2452EBC6D3D02783A63ED3,SHA256=1B3E139C58D71629731276A246FB669BBD53D427ED67367F8DE180651EF85FED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:14.556{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8A4B79B038F4ECA58591E4AF8F1961,SHA256=22EB7BD8BEC1BE9268E118D2E80B46EF23206A6CA56CCC535C021AA89B507299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:14.048{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C27A08476BAC9A2FE0C6D1BF73EC40A,SHA256=348088D818AECBD4F057982CFC6AB45F370B5DA28482E79F7139ADEB8AF8A1A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:11.781{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52767-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:15.571{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A959A2AA96CF8D20CFEAEB1B76A2B9,SHA256=A26DFF11923B39958ED1405954FE8D2A8C2B800B478D4F9D237D822878B3D98F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:15.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7A2C8A5A2B78D832307C90CADA65F50,SHA256=B48845C9BC587630688801E2F91ABBAE50E19AD57BBD65D8B4CAEEB9B4B7EF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:16.618{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2605F15D6952970A1BC64D25DD4116AB,SHA256=875B870A97CAA35EB4B0400596EF678C0A8BDEC6B963C031A2309824ABC29BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:16.096{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1384170C2DAD8279634D1FB9E9A4C65,SHA256=DD86D77A8CDBC97F74C289619300A012475B8627E62A8BEA5318E917EE303D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:17.618{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE531E6BF35721C082A3B0E56BAA2A5,SHA256=41CF2E4A0908A574BB15F4481516E75C9EC0EFB0B4A0A1F9E2D9862A88B085B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:17.111{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7D81D35FA5064BE909A12D4C4013E0,SHA256=8E2E9D38EC385AF448989112E830795DAC15BD44CA9033BA8F3C04D8EAF7F278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:17.095{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05B02E1A3753A59A56610E5C5125177,SHA256=FE1C4606BDA228AEC2765F08C59EED3E21C3D3438A84137C211B263850824914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:17.095{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4EAF4C6E6F895BAD066D788B2C5251D,SHA256=21A80B509DC1955FDBB7D3BF70B3E3C38A31F0CB5902C2F45804C016BCB5080B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:18.665{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A84EA126DD33A71EF4EF770BAD59DF,SHA256=29C08FBD77276C296035C7EE16CA93BD854CD4D14A5EDA85E71E58B56F8E6970,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:16.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51155-false10.0.1.12-8000- 23542300x8000000000000000670903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:18.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66FB61AA56D3DCFA7138537F3C22F8F,SHA256=F19C667C93CE2154244521414C2FD2DEAAFAFE88BE439E9F1944421A37873EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:19.665{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743DFA2AC69BA5BFE71D782B4B570728,SHA256=D89513359E9341169242523524EE98F13AFDAB257CEEC0E78D18A5C293E29933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:19.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852BE6B35F595E640FEF3E6DF703D6C0,SHA256=2D07F39EEE3031DB308C76800EEB9EB134FA697D0C864B6338BD764899183FC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:17.703{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52768-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:19.103{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F72581CADB616F124A3F8FB98F6DDDE,SHA256=0735D4881A4C7111ABAA7150DB6DF55F5DCF2167891ABC858CA336485312821F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:19.103{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FF035999E09BDFEB72A594D0426BD2C,SHA256=E0C54F21084EDC35CC97F1D4F4941FC26B4DE92FEF2F6184403A8E3ED7A5DC71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:20.665{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5B9C669F955048F4741CDE53102FFC,SHA256=0F4FC6851778D1395DB3E4A3A67FA0E86197DEFB6238FCC0D9B515EAEB655AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:20.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE9EEC939D03CC0374D346A95450823,SHA256=12EA164F49E5C612CFE85BA900AE033BBE6FB8C3DE23F32E0F4AFEE2CD0F93E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:21.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB205542FE3062BBBE170A947005D963,SHA256=2FBA5498739F305ACD371C25CB2F0A466607EE62982E739E159A4C1682766ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:21.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62A8CA3BBDD6E0EFE44312A5966BE836,SHA256=A860A005D1158D48F60F18D1324DEDC04DD32975BA344592C70EF39827E11709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:22.681{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30619ADA01C48A2A1183FD5D1CC2AAB4,SHA256=C81BA98641621916435C529127813BB0C91860E07D7F98FF66A7022D9EBEAF38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:21.388{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51156-false10.0.1.12-8000- 23542300x8000000000000000670910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:22.191{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938A56F48A86D647BF76C9D255CDC743,SHA256=A7D1AF4145B428A89DF185D224F978E3AB1E1BAC3FCAE3376F8C5293F987F9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:22.160{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B6B745FC954552414BC59CA2E055AEE,SHA256=23E21AA73E5DD3D62605E462C8AD81F4C54256ED8CCBCFCBAB3CEF2F59ACC5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:22.160{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B05B02E1A3753A59A56610E5C5125177,SHA256=FE1C4606BDA228AEC2765F08C59EED3E21C3D3438A84137C211B263850824914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:23.743{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=141EEAAB49B2A3B47E9F4FCFB2C1D7D0,SHA256=D2465414A767E915B657E591F22CEF8255596F9689DEB15BA973E0797A858304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:23.222{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A54E0F38A2284705FEFB57A20A29074,SHA256=F4F59424294C2D73D46301D714615A21D4D4BC1205A4733B420E62E936AC3958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:24.759{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0041337ED63CE358C4799BEEF73B6F2,SHA256=7D7A242F578C725149AC484CCE995F77FE623C6A844423052933DB0660C6EC57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:24.239{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5353F9CB27C1AAD663970FD2CDE5F73,SHA256=5CD823029C126E18282E47635454BF932FF6B11788314AC17F94497AF5DA558E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:22.796{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52769-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:24.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1B68C1E1F94C05F048509438A610E55,SHA256=5C541CB9023D040AADA64A91174A8215EAB33510062D3E21749850C39FCDA16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:24.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F72581CADB616F124A3F8FB98F6DDDE,SHA256=0735D4881A4C7111ABAA7150DB6DF55F5DCF2167891ABC858CA336485312821F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F7D-609D-EF50-00000000BB01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7F7D-609D-EF50-00000000BB01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.837{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F7D-609D-EF50-00000000BB01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.838{E1BD9FC2-7F7D-609D-EF50-00000000BB01}1068C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:25.775{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C095179AAE0675CF4B637057C3177BDE,SHA256=D9544B7FAD96D0F22BCBCA8FC98799098A2E6655652B1BC47EA2650099A870FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:24.451{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51157-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000670917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:24.451{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51157-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000670916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:25.275{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB50B67B99002FF36144688647AB51C,SHA256=B791A83A576E2EB2A1A052C383F18AC67E098C24C94E15C0852255150F509051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:25.206{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:25.206{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B6B745FC954552414BC59CA2E055AEE,SHA256=23E21AA73E5DD3D62605E462C8AD81F4C54256ED8CCBCFCBAB3CEF2F59ACC5E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:25.436{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51158-false10.0.1.12-8089- 23542300x8000000000000000670919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:26.306{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769D39BC59F879B95EF30C52575B6F5A,SHA256=397438AF9A5716B0D200B00ABAC4599F6658C8BDCF80AFDA9FB70381556886AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.630{E1BD9FC2-7F7E-609D-F050-00000000BB01}24683364C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F7E-609D-F050-00000000BB01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F7E-609D-F050-00000000BB01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.505{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F7E-609D-F050-00000000BB01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:26.506{E1BD9FC2-7F7E-609D-F050-00000000BB01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000670923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:26.436{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51159-false10.0.1.12-8000- 23542300x8000000000000000670922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:27.321{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662C3F4D6F1BE2B1789C7D73203B0C30,SHA256=553D237B15B3E28A6D134F66BF88EAD30AB4890BDFBFF9537271824EA01F319E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F7F-609D-F150-00000000BB01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F7F-609D-F150-00000000BB01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F7F-609D-F150-00000000BB01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.070{E1BD9FC2-7F7F-609D-F150-00000000BB01}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1B68C1E1F94C05F048509438A610E55,SHA256=5C541CB9023D040AADA64A91174A8215EAB33510062D3E21749850C39FCDA16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:27.068{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954FFF694851443DBA52FDA3F5D10BB4,SHA256=8FFD1BD8BE1BC654EAC62DF6B009EF70FC46ACD3B920401E4716BA198436541F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:27.241{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=110D96830AA73B607A6469CA69D65571,SHA256=53F8910C10BAAF500D457169843C68ACE1066B91AA3F0B4A4A056BAD916192A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:28.338{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB951BB3584FDEDA2866A99F22EA56C,SHA256=DCC3D03D590E0D3849EA9B60BB3115A3B830BDF114EB2FEF7FD8C4BCF61B2373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:28.083{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB9A84B472DE2745D13F9B82D6D69A8,SHA256=1B9FDABB592A0DDD85DC625749F241F5979EA8C45C0B962E5688DDF1BCE32379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:28.083{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6ADADF3A42B4825C78905BFEAD380320,SHA256=EF2C0227644E08FD0CB14DC1F0FF3314F686F3EE6801D7704477FC5B4D97F514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:29.356{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D476C9E9612B34FBF98F180DFE52633,SHA256=3B0D973ED9B555AD5750C6EBD77CAACA6B92B4077F3E328E3B1C58B2A098E6A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:29.786{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:29.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2269607D26A42C7F1161D2B73367493,SHA256=22F5E9EABCF3429CC54685A1A8BD8DC6ED055B895106E09FB9C8BF19299A4517,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:28.746{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52770-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:30.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9CE0C8200B36FDD6175F896BB1D2B22,SHA256=DC191B11872651EF8567571D2F5111C3AE76D82666D0D51DE8F0592EA964CFD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:30.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F3537C09B73E5345380C5C71B42760A,SHA256=4CE7FC18E9812B97C21370E8F757B4B7B7E221CB6BE341897C394534EF110211,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:30.956{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000670928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:30.818{7B03F3B2-D0CA-609A-1600-00000000BA01}13046684C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:30.818{7B03F3B2-D0CA-609A-1600-00000000BA01}13046684C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:30.372{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36AAD9323EA34FD89BDF8C8F1DDA2515,SHA256=A87E759AE83923B4839668071C073AB1FC7D3D427761BAAD65E5D8965A4B3528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:31.402{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B123F1BF0C95E62CBF6C514132742D,SHA256=046FDA4637663F99C28E183A1E74A14A4D410F51B953554EADADA34395DB1304,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:29.402{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52771-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000572368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:31.152{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3188FD7A9079AD6830DD2AE444BAF303,SHA256=C6588EAEFB61D2E3A7C7F30FD276AC43946F602E33766452FAB28EB3F7C828FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:31.171{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38C021413D5AAE07E330711C16FD2CF,SHA256=8BB571FF71B9A051A4642CAD08733070BADB21A94678C3E4444536A6615A24EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:32.434{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6827F50BFC6CF7663A9D2DE057CD1885,SHA256=620B167B0F9A1ACAC80F92CE9E82766DDC628E03CB238A2915AD6EE074AF0688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:32.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BC6037B66A227076D9A3C32F6E5E86,SHA256=F59B2BC66C83380AE03515AE14B50228E68A49CF0457081A567B5F4A1D8361E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:31.202{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51160-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000670932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:30.382{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57775- 23542300x8000000000000000670937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:33.484{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D3AA62EF0CB162EB3CAB53784539A9,SHA256=7D6294C0BBD050831531579C944925E0831D194EB26241BFDBEFD43BCD2EC5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:33.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A46FB84DD58420C7E813B23E6E772A,SHA256=DCA9690AA319F9310612AD8B0062FD62EF2F2D4EFAABEFB70AFF9B55970C4FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:33.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CB0C375528583F480651A55E8A3C5DA,SHA256=C08703CC3F5B081F3C31841C8C710FB4582738A6A04737A877273CCBC889A840,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:31.202{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51160-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 23542300x8000000000000000670939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:34.498{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4D55532876FB1C84188F9C0E91BA042,SHA256=9D26346590C2A763C793FA1D64BDCAC2F24B95990A4318FA12B958A46FCB819D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:34.201{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1203869056F49A377927DD88E4612BB5,SHA256=549CBDD2BD4D80046CCA974B245C086D58646E6A861CA9B29C3232CF13F9558F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:32.431{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51161-false10.0.1.12-8000- 23542300x8000000000000000670940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:35.513{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD5CDBB807E6EC68BEA4EFE4A626DFA,SHA256=DFB0E48E2717AAF3B1AA13F94A5D00114ACB30B29BA4602ABDB948D77F3F171B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F87-609D-F350-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F87-609D-F350-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.872{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F87-609D-F350-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.873{E1BD9FC2-7F87-609D-F350-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.325{E1BD9FC2-7F87-609D-F250-00000000BB01}1588352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.294{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F21DBCF038F636A20F6B799C8E71E4,SHA256=1407EED8B8AC17AD1A5C0A8696ECD3D7BDCA8E50290EFB1CD44200BBB2CEE1BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F87-609D-F250-00000000BB01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7F87-609D-F250-00000000BB01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.200{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F87-609D-F250-00000000BB01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.201{E1BD9FC2-7F87-609D-F250-00000000BB01}1588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:36.564{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E54DCC55AE21F187DB0B464E7203E8,SHA256=3E9017F9A80F5C63BA29F67C4BA302DC1CE58C89A16DC8EF529B8A038F32EC85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:34.676{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52772-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000572417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F88-609D-F450-00000000BB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F88-609D-F450-00000000BB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.544{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F88-609D-F450-00000000BB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.545{E1BD9FC2-7F88-609D-F450-00000000BB01}2884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23A0100ED127BD5D2CA26FD9F53FE2CE,SHA256=6594B05C774471239E2C2E5C6E6707EDD759EB24220E64F945266B6B246DB8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.060{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B2B11E7576E9D3EED0C0E1D50E37E27,SHA256=8D6A1C67611F1D1674D289B98061157FE5EFE067D247AD3808D61720308193ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:36.060{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD7EC1A424F2BEBEC9D8600D3F74461,SHA256=D06F037DF4FDEF3C69B6575C42AFFA5D0336725CAB3EA68144881653585B536E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:35.997{E1BD9FC2-7F87-609D-F350-00000000BB01}38401200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.575{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B2B11E7576E9D3EED0C0E1D50E37E27,SHA256=8D6A1C67611F1D1674D289B98061157FE5EFE067D247AD3808D61720308193ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.466{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C22367659F72750206992C764D51BF8,SHA256=51DF487E598F8CA4CADF33075BE13F8D62E6830582A9F97FAD7D15766EC734C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.341{E1BD9FC2-7F89-609D-F550-00000000BB01}9003580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000670942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:37.566{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1371A8B58E7497AA50F92A88ED725C2,SHA256=455C7A49F5FC9A171F97256B8AB3E9BE0FC6D225B4D471AE7D2403B1E6AA8B0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7F89-609D-F550-00000000BB01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7F89-609D-F550-00000000BB01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.216{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7F89-609D-F550-00000000BB01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:37.217{E1BD9FC2-7F89-609D-F550-00000000BB01}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:38.357{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28DB3CCB285F577A49DA819FF61D2E2,SHA256=CD8BBBFE33864B9EE294B579F146D655EB4D599AE9F7DF11D7888CD1C8584072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:38.580{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3EC179D7C79D43B71A1AA6324B31C0,SHA256=F7B469E161A4FBBECDDF84E9311FDF1DAA98C5CE4BCD45DD9595783EB0DEFA95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:38.231{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFD01AEA046889A197D6FF78A00A153,SHA256=7A9FE6942740FBCC44879A9DA0DDADE85E9E8B7BA523A7D78F3C6E5E74AACDA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:38.230{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B46CB7AE2C6AAF0138C9B4E07DBA79C9,SHA256=40657D2F9003AB0F5641E9ED4C10959413970A33A2713832B67BEA8672EBEAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:39.594{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3829BFD69B0A72313F860466F7450B96,SHA256=880F262D4D7423BF412830D271BA0101EDA2170475222D39B590254569A43F3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:39.372{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C7BE649C873841844C3F45D3982829,SHA256=A98BF869C6DCEBD4A9E7BB13828762EBC902E555884E4D15022A3B5BADA439DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:37.472{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51162-false10.0.1.12-8000- 23542300x8000000000000000670948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:40.610{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=933FE0EA97FF1919ED95F97EA9849CB0,SHA256=331A8034B4AD95F1D0CE322CCAD9FB2556CD56DD0CC9DD72AFA5F1BC76C4B969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:40.388{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C679F85C2F9ACBA000AB1B59CAB40E5,SHA256=99C5FAFFA51E15D21D06E03500BACFA20825B8F2CC82FC2418F9EB9DEAFA8B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:41.628{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EED972D76B5635B7F9090127736E3B,SHA256=185D15501A9BD2BB3E0F7AE0A88DDC53BA88A487BD964F89EE38CC95D439A2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:41.388{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFEBEF980CA2310021D2B8DF000DAEB0,SHA256=F33E3B7D103A37FD3FD675267C6E35E434193BC8F4EC2E81BC4797467EC1645B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:41.107{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C44A97A06B361256B72396DD1A4A43,SHA256=EF9E279DB60A5EF9411EAAACB20870F4D49A0F4C2F24A4C86F747BA507CB4890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:42.645{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2128E875F6D5FDDEF70A2E926E23958,SHA256=A248230D66F1E009966447D984D7DBBC8B6836FEEDA2F1D17C22C216E2F218EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:42.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639F2FFAE496AE2E5640C5EBD41DC96A,SHA256=AB05D2D2149A6A3089F93FDC7072241BE7153FBBCC47B8955302539C3CF8F077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:42.345{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFD01AEA046889A197D6FF78A00A153,SHA256=7A9FE6942740FBCC44879A9DA0DDADE85E9E8B7BA523A7D78F3C6E5E74AACDA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:39.691{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52773-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000670952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:43.675{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A34A63A3963F8CCE10C40A9E7B0DB5,SHA256=B9A4567B3FFCBDEF40880DADF674BB78F695786CBFB4DD6925E9A11CB94DF9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:43.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=412BD090415497CC4833056003D52286,SHA256=B45CBAE75249B1D2CB320600580DCF899C5FC9A67AAAFCC8C5574CD58AA4C9F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:44.705{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=088F51AA9D6F351F04FABCAAD795B01D,SHA256=A73E25FDC0433347BC8A782DBB7DD42B06AD6349D8E1611AFEEFDA7B64B651FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:44.404{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531CF1661B0D67AE3D3DA1DBE18EAE70,SHA256=E303C60C083236BA413681CB8AAF727471C08BE97A9BFB377F8A734BAE462179,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000670954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:43.253{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51163-false10.0.1.12-8000- 23542300x8000000000000000670953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:44.026{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D83C7FEDFAB91313C71ED7E3AB80917E,SHA256=6DC07909B380556C9C5A102A5E419B5E6CDAD1EC381577B2EE57BF14854FC643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.904{7B03F3B2-7F91-609D-EC55-00000000BA01}71965340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F91-609D-EC55-00000000BA01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F91-609D-EC55-00000000BA01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.757{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F91-609D-EC55-00000000BA01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.758{7B03F3B2-7F91-609D-EC55-00000000BA01}7196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.723{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AF6135B3F8AD325BDC81DEC10A95A0B,SHA256=BB3719051BFFFDE15638A5D496C1049745F68AC7673D7E0C97CC44EF3C989F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:45.435{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E05B64222A1B222D919636A453483EC,SHA256=D19639EE5835610E3313ECEF682CA9666876AC1315C3658D18A5725182BE2F3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F91-609D-EB55-00000000BA01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F91-609D-EB55-00000000BA01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.075{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F91-609D-EB55-00000000BA01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:45.076{7B03F3B2-7F91-609D-EB55-00000000BA01}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.742{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EC5CDA822980885AD06E6826D4F124,SHA256=0317DB5894581114F358BE07B1DA975B5E9BE093C1C3F9B55486B6CDD3C30401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:46.473{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BECBE00BB914615CFA1E059121B5C0,SHA256=CE6E53E5725C8205BB1B30214C636865FE25B491BB3D34BD379B2AA01BF7CFFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.420{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F92-609D-ED55-00000000BA01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.417{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F92-609D-ED55-00000000BA01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.416{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F92-609D-ED55-00000000BA01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.416{7B03F3B2-7F92-609D-ED55-00000000BA01}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:46.108{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1352E10E326B06502F7B3D6E0F101B6D,SHA256=0F44348170C3E22D755C92092F7B4F8C68C59CAC067DCC7B2D378903754A8FD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:46.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCC15951A2BBE350C30A31489FE0DF6,SHA256=CED4739AFC53E28612D3732D32E640423449EDFE8A3F9378BD0AA5E0E05A5222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:46.154{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9F3E175E9FE6319DA506D0C418536B74,SHA256=F3BDA3EB6E1DDD442EBC5F28C820252C4CCFD8AABE0060AE9B76ED2E367EA7D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F93-609D-EF55-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F93-609D-EF55-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.856{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F93-609D-EF55-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.858{7B03F3B2-7F93-609D-EF55-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000670994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.756{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B1470F5BAE3CD5AC2E9CAA80BC9B3B0,SHA256=6BD913E0DB637CEC9EFC494AE120F3B21488958E8A8573682B2B5ACA4B7853B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:47.505{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3FFA17FE63CD268D86001F8B6D8ABD,SHA256=05800FA99D674B402726C3C7DC76C831DAC92EF375BB4753D138D84584EF5416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000670993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=505540B5A9F274103475E7DB42334EBE,SHA256=9208A780A8897453C3F9A7A9F778AF5DA2F14C98FB17829CF98A4455631FC88C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000670992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.357{7B03F3B2-7F93-609D-EE55-00000000BA01}19006568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F93-609D-EE55-00000000BA01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000670986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7F93-609D-EE55-00000000BA01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000670985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.204{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F93-609D-EE55-00000000BA01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000670984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.205{7B03F3B2-7F93-609D-EE55-00000000BA01}1900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:44.738{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52774-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000671006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:48.861{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C7AACD127C421C4CCCF4527D652210A,SHA256=967A7AC49107F94EAFC89740985978773638ADA72A20B23D10BDA1E49DD73213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:48.777{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F29F2E7948C09A4D277F3BA9C4E01B7,SHA256=883ABF1BD6E2CBD15798A5CF07354E51F6CEDBFAD3ED7FB1ACA0493C03F51622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:48.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C899EA226A0DC4A4A4854A3815FD54,SHA256=1028A89245F343D7F0E864C8A420F6590B1CBB9E109E40D3057B5747E275CA31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:47.152{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53410- 10341000x8000000000000000671003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:48.183{7B03F3B2-7F93-609D-EF55-00000000BA01}70164364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:49.777{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CEB9C874FBED5056E97D7758B646F0,SHA256=0A14C69E2E539DB696820B3950BF1563F39A6412F39A07BF7A9C178881742CF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:49.552{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B743BF260039945CDD8E229EA78B1903,SHA256=3B8AAB50526FF41A3AB58F5884441F8D9A6AD00A392A89A64FC0CAB30477D79C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F96-609D-F055-00000000BA01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7F96-609D-F055-00000000BA01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.859{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F96-609D-F055-00000000BA01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.860{7B03F3B2-7F96-609D-F055-00000000BA01}7452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:50.793{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=085198479A9327A9B580ADDCACCB09DC,SHA256=75ED373BE487D12AC132972A44DFA3E852ABC4E8FD4B04F892F671D071A1D95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:50.567{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E2688910D1C9CD5BD77D50D7A4865D,SHA256=5E8A50AAF22D0DBCDDD538AAE1D5D148921597865A214A4A6155E49210080522,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:48.324{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51164-false10.0.1.12-8000- 23542300x8000000000000000671028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.895{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCB9887CD3B2CE31D274A36F5E220B0C,SHA256=4E45867817D6CA667AA6003CCEA797545386A574A4B0C5C49F9996F0D4C7069D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.813{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE1A6DF13748F51EFE8D365E7BAE2DA,SHA256=75A458F495F6BA0C035B2AD8F964EBC1E9EDBDDAEF835B1AF01A3DF58EFC6C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:51.567{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083009BD2BAB42A32DB741A6CC5AA4C7,SHA256=74864CBFC405AEF70C070F68A6FA7D624AADCF7D6DFFD55CAD4C5998EB2978DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7F97-609D-F155-00000000BA01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7F97-609D-F155-00000000BA01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.529{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7F97-609D-F155-00000000BA01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.530{7B03F3B2-7F97-609D-F155-00000000BA01}7688C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000671018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:51.044{7B03F3B2-7F96-609D-F055-00000000BA01}74522108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:51.176{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2E78C7F22244776B15711F8FBD93632,SHA256=7B085AA60D66A04B7C9495247FCCC40786C0394B199D095A8C02AB87F93DABFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:51.176{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CCC15951A2BBE350C30A31489FE0DF6,SHA256=CED4739AFC53E28612D3732D32E640423449EDFE8A3F9378BD0AA5E0E05A5222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:52.828{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1140E65EE3C407609A80BE9751CBA0F5,SHA256=623AA1AA911719931CA93F4B25B87589CA15038B14C64B38D7C01FA461C6BB7E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000572467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000572466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7353d9) 13241300x8000000000000000572465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74826-0xcd99f4b1) 13241300x8000000000000000572464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0x2f5e5cb1) 13241300x8000000000000000572463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74837-0x9122c4b1) 13241300x8000000000000000572462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000572461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7353d9) 13241300x8000000000000000572460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74826-0xcd544982) 13241300x8000000000000000572459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0x2f18b182) 13241300x8000000000000000572458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:35:52.927{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74837-0x90dd1982) 23542300x8000000000000000572457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:52.598{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978D6AC104FBA836F60D0B7C4D07F3B5,SHA256=D6AD15A408646D498E6CCDB5B59C853870F8C8CE0CEBC1AE9DADDC1F4C664A2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:49.792{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52775-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000671031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:53.859{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636F675BF9D3CA9DAF9BB712E3E5B842,SHA256=76BED5250A6541B28A0DBA19D25D54F29A38223DA51749CD43ED2D8F46C24F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:53.645{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23045E47DC1A90BB034C1EAE502B7B91,SHA256=51A8B4235E7DA2FF8C75D71A3BF33FCEB67CFB6B1239C1613FA26CA69607A6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:53.559{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=988C337339DA18CA17A5B76D9A520097,SHA256=1F039F6B8B4A66192A888960549E9B5798EA87366A17682839AC0DF299D34854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:54.677{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CEF009EE2382972F0C2CC8BAB6BF65,SHA256=6D10C199A39EFD309B5CE9BE5AB49DB839F7AC50D2F56C824003C8948D7A469B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:54.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF3FFDEC8CA1023BB74B6093F9D64BD,SHA256=77C5885D82CBD0E78EFBECD9FEBCF7BE5BA402518B5C9D848D3834B453FA850B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:53.336{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51165-false10.0.1.12-8000- 23542300x8000000000000000671032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:54.159{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F76125B07AB4F59B255440E580A99E0C,SHA256=553D312A4D2147E063BECDFD0705593C797114D7D975764E7B164F201F4430E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:54.567{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:54.567{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:54.567{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:55.723{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770DA78DEF1D1AB5AE0946A4B4CCB19F,SHA256=B4A7F1E009AB6F9E7508B8E7A04A36576239C604738AF26C7D5D85729058C2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:55.895{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A797B6E470E96DAAD5277BC7AAD712AD,SHA256=AA84F7C171C2F079F29C29449BD163930ABE650F7FD713D0375A76C939FA7792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:56.925{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BB68F4F3139280370B9AC942F7459A,SHA256=EF773878A3F90079E699511F6F20CBDD88800732B9385A88668F7C086A61890B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:56.770{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EFAD848CB7CED1A7B4C06C8277F081,SHA256=1A6E0A4FF4C743E38D6E5AC39EFF3A22B8687E35D1399549930E60E373BB8A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:57.940{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1645255CC79DC096F18CD667BF4BD0E,SHA256=58BE3593316E9A1EE717C76912D2BCCEFF3DCC6AAE8685B519496948B929AF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:57.770{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A31B94D628E4340DE985803B28369F77,SHA256=9D2658322276DBC62C85DA6AAFDDECF6B5A04FCF134B2505969BC1FFC6A63481,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:55.683{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52776-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000572478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:55.655{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgmfalse10.0.1.15win-host-681.attackrange.local138netbios-dgm 354300x8000000000000000572477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:55.655{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-681.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal138netbios-dgm 23542300x8000000000000000572476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:57.052{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04AC717454D9D96762EADC64E38E25C0,SHA256=9A0E5B15D022A741EE9C6B994DB3C32F810D60FE07A490A7EA3BA124B3614C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:57.052{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2E78C7F22244776B15711F8FBD93632,SHA256=7B085AA60D66A04B7C9495247FCCC40786C0394B199D095A8C02AB87F93DABFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:58.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140D51422B094800D5ECBC313E94FD9B,SHA256=47B9D96ACA17FCC2FC831D4D4C8A402113BCBAEA910C8AF281C84DA17BB4A861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:58.817{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A56D7BF90F3FFA448729F06E21C1502,SHA256=D649E34A58B838112DF35BFDF1C447531E9E8F41104C58F2C13D90E4E714DFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:59.992{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F83E69FBB3B11AC5F29145DEA4F120D,SHA256=CE03EE6A135A51CD6A9AAD740A74EF90DE4CCA4FD4F09735888BF6F9DAE7A1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:35:59.864{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89732D2C2130E3B915CA75F66018E8A2,SHA256=62FFE52999C4EAE89FBB82175B9EB1DF4CF0602E9664719C1487391BAF2EA0BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:58.417{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51166-false10.0.1.12-8000- 13241300x8000000000000000671050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000671049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7b08c0) 13241300x8000000000000000671048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74826-0xd137c301) 13241300x8000000000000000671047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0x32fc2b01) 13241300x8000000000000000671046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74837-0x94c09301) 13241300x8000000000000000671045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000671044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7b08c0) 13241300x8000000000000000671043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74826-0xd137c301) 13241300x8000000000000000671042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0x32fc2b01) 13241300x8000000000000000671041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:35:59.371{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74837-0x94c09301) 23542300x8000000000000000671040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:59.171{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37929E03F80776B62D694275DC150139,SHA256=DFE4C0513EFB5A674AC01500EDDC9FC65784F192409FD2439864D50FF7DD708F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:35:59.171{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F66D5A892948DAEFA9DF07C4D310EE7,SHA256=5C2899A83F2A563DF9136A4E799475607B7DC461C97F9D2B4F2B1E510450156E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:00.880{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840F55909BB8A4E2369CFDCFE9ACC196,SHA256=05B7644BD7FC374004F0B3E1306B29C6D4F796725C20B91907E135DD3C02074A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:01.958{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78C845935B29506DC0C39D24FACAF14,SHA256=F1E199C11C49ED66E8DAB793916E8309D5EFCB27142F9F47766F04D9E52F6652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:01.022{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EDB811828C87834924164DBA7AF3EE6,SHA256=8450ECEA4073499BA004BEDFD232A0A5C7C35EE972ADA457672C8F905993A863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:02.368{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37929E03F80776B62D694275DC150139,SHA256=DFE4C0513EFB5A674AC01500EDDC9FC65784F192409FD2439864D50FF7DD708F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:02.068{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A41C1BC3540033C144D320B55376A70,SHA256=C4E6245F862A31F7DB77C1D00D81248101E8674ECCA182230BF0F115A7A496C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:00.777{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52777-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:02.161{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D7FC5465D0C48FC009F5FC3615E05E5,SHA256=7F2C98FEA15A93DB5B5B6BAF182AB69C29D6274118973C744C589141099DEBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:02.161{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04AC717454D9D96762EADC64E38E25C0,SHA256=9A0E5B15D022A741EE9C6B994DB3C32F810D60FE07A490A7EA3BA124B3614C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:03.005{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132F195E00C8454E56AE1D1C1F555A57,SHA256=A2CD8AA015DE4F30ADD858C1E7E53CB3FB2DFBB31E34C448E4E4DAFFAF5368C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:03.086{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F6CE8214097481C62F3FE1D7CE0377,SHA256=2F664D3FDF304EE688093A5FC5F3204B072E8828F4A2DDB6552BC4D630D06B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:04.020{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9789AC1328694531C20C7F345451F71D,SHA256=912D2AE97ACE6031E4407D056B7C18C6993656EC23AF5D0E6D0DC8080EDD5CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:04.104{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0356BABDDD184E5F79CF3E9E146CE332,SHA256=5B875D4A4BF94318AEA0E38CA310DA0510DF418058F6595D61A237E9720E4882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:05.020{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560AABADD5E0BB75FC91BB706318D656,SHA256=3C2E584F7A97F75C31AE360AE4C36600C6B7C0C4C03C4115B08F3B6A254588E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:04.296{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51167-false10.0.1.12-8000- 23542300x8000000000000000671059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:05.118{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011B305F270E567569606F6B88596DA,SHA256=2949C3B10302761E9496AA178B39E9846F044EE0803A472B97EE036EECE51CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:05.065{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9605C28E6284ABD6E05DC52CF3A53F96,SHA256=230B28C523090FCFC226455076E76F9FAF53A86FA48CA22EE6FAF7D67D045409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:06.133{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7054959B1221695ECE889F692EA842F,SHA256=F45C8A74657A926819B6F88D763B4704F021C5CAB0288B2FC7925BAD5C097075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:06.036{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30526690C19EA03893D6D1B5B870C54,SHA256=28D59FB6B988A6CAB7083D0B2698ADFAB9EF0DED9E30D78E59E24CAA7D446BEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:07.501{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:07.501{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:07.501{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:07.364{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A28B19716D2DE0CA24FDD7675B0FCAD,SHA256=91FF410F0991C92DE2A5A8DEB240892731C61F1B95EA8028E1D86F80D497A187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:07.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=820BF19EB2E5A9D5AB326D2C3905FA0A,SHA256=CFCD6B936CE8D51CEFB020A283725D237FD60937AD908F4A1DD9E2F494BA5F20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:05.808{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52778-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:07.193{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28F2C80C2063B1E9CC80FC9EF764F40,SHA256=A7378DF3723CCDA8169EC0A245CE045D25DBD479D4EC7C8BD75B4CDFF5EEF7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:07.193{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D7FC5465D0C48FC009F5FC3615E05E5,SHA256=7F2C98FEA15A93DB5B5B6BAF182AB69C29D6274118973C744C589141099DEBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:07.037{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4457167313D7766213680258B75F94,SHA256=9A5F2E359410272AE4310CB9BD6DF7C53817C0CC65BBFDF35BE4BC67923B51FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:08.115{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A28576884544C482F6D6E5E154D3AD50,SHA256=6595A7225819DFAAF8E059E288914FCE9872B56B369481A13E1E8C1FFDC180D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:08.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2004BB1CB425BA58A91A6AF1E424C22,SHA256=6D0245558DB9730C9E5AB19F9AFBF6C1FA8B8FFFF2491ECCADA8F980FB774D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:09.490{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C795A027A46728615850ED9FCC6AEB77,SHA256=80C33EFC48285D0603388DFB2F9268A595829B5961F8ED2893ACEF831229D3AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:09.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41084818F46AE3ECE534FF257843F89B,SHA256=3A660BE460A2CD59765CD6522E44C46E3ABFD0421D9B42ED3D58088A23E0E173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:09.215{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1259E1FF106EA70E09F5C82B17F747D9,SHA256=02699030A853A53EED0F5A0EAE11B95603E89D9563FCE15126FB367F03EDC1FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:09.324{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51168-false10.0.1.12-8000- 23542300x8000000000000000671070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:10.231{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144BEF064992BF5ED005A41551C6603F,SHA256=8F43F12B7D33FA16264789A67D7D807C5814CDCF40FC2D3811027EE7A04A0283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:10.146{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DB8444A9411518206412B5B384B1F8,SHA256=C185A66AE675BB4ED32BFC0AAE302471F88E173815A5C19C0C6436E872F5BF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:10.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78E8762D22386C1EAB4E36301B4C841E,SHA256=D14EA35A05E7159353946C9A10A456C84B3219F984D1735BA37B07D6B7E140DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:11.262{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C2005D00B2C1564C001DAB05E6934C,SHA256=DE60950941D2ADEF48365E25F4D05043196D7392938695D507168BAF8C7F2277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:11.146{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B36122360051C5259BD3125CE98DDDD,SHA256=D357C5BAD3CAE9556717608BBCDEBB6C10760066B1B033BD8AB9EC9B5E5D20BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:12.265{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D8D02229E3F6BD68B1F3D9E5FD9DFE,SHA256=DDA6EE3E3A44E4BF991EF56552493654083D51545E26DDCDA7DA735B73C42BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:12.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4279ABF01EE9E4DC6BDE7AE9B06B971,SHA256=F78E3350BC5B60B51E375873F75A1E97E77A4AFF9319902F67006A5ECAFB1FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:12.224{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A28F2C80C2063B1E9CC80FC9EF764F40,SHA256=A7378DF3723CCDA8169EC0A245CE045D25DBD479D4EC7C8BD75B4CDFF5EEF7C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:12.162{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F396909FE7E2617CB6F6430C6C196B,SHA256=0295CF87EE39E058F346CC57CFB251A8EA2BE7B71F3D6148A2B2DCAC37387B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:13.177{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC5D2A3A24247B5B9574C9923C14E39,SHA256=3F5E76A63E72FE604394679573BC0F0C2BDC61B2CAAD96F72067445E5E29EC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:13.282{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFD7D8D1F0D5DEBC54E83C0025E733C,SHA256=2EC51B09BB29C41BC265CF113939A12CF2841DB37250BB681E89BCF2D6E29ACC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:10.824{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52779-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000671075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:14.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9C7A510F93020D5ECE9C0E087DBAF4,SHA256=721FD410251C6CE9182949491632611DCE90E21C74713BF6A249E86CB6E56D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:14.256{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE58B452BD1C621CD74219F36D83B29,SHA256=D46DF10F43EADA9A6305E54A2ED8409F2AC0A69151F55811193ED27FD15DF6DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:14.362{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51169-false10.0.1.12-8000- 23542300x8000000000000000671078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:15.346{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB63A6ABFDBA5AAC9A98A8EB35316535,SHA256=8E885CE79E06DCD12A2DFBD119D4793A5086758286F525B4735B408338831718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:15.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C591B56C01FA94C25D99C46D18AF8388,SHA256=1853B000F1F20B21E0FAD862BD1E78B99E084D1B8987AA84284D47C0AC177518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:15.146{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8A42C28B382D26CF10ADFECBAA4CBE7,SHA256=4698CE4A1A97CBB116223193F5F1409536B9E86B9F9E952F5654E03FC6C78252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:15.146{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69C3A1277A15CB6D4E2AFDB6D4AFE6E,SHA256=E529F69060F9EAF2E70C9DE3220FA79387D1FD6AD740C79921D8B6B0D8739FC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:16.360{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB099F763D434071A46140D581BE2E66,SHA256=D2D48B360C14EA1BE57A83CC781B75EF30616F8767A526DE6ADBBD8C9D1F6873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:16.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2257F069E3768D47F6E992B5C83C44,SHA256=7D56BAEF4A97B3D1624935682434D6F92A3551B8CDF283013D0ECA0F0463E131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:17.397{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1B12EC4C4EBE04C7F9626198AB3DB8,SHA256=9CD48249AC6F78BBBEB040A60C1CDF4D99EF6F1A85F24002C2F6EFF0094B5812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:17.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FACAE7632AA9100ABCA86739CB412BD7,SHA256=FE751A15A9A0B3D2E94109E9A74DB1546180D201F196F8D35E839B7B061867C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:18.411{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF47D468BA8ADABC47457713E2CCEEA,SHA256=57FE2DCEFCB4E6C73EB688AE044A52DA086C7754D3A1468473C2297A90DEE1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:18.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A902DECCCA29BF369D07D685D6C0E72,SHA256=8880EBF68B116E3662D37DD3349A14DC78C9EA9BE79A2C02B9850C17913D55FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:18.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F84BEEB5FF7CCF400E63CC4EE641EC5,SHA256=D6E09A8D1D4A65A02C1A496F5A9AC47E7BDAB001B67675B2088DA3462D4EBEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:18.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4279ABF01EE9E4DC6BDE7AE9B06B971,SHA256=F78E3350BC5B60B51E375873F75A1E97E77A4AFF9319902F67006A5ECAFB1FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:19.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584BCABAD525244AE219CC1B246A2881,SHA256=FDFA09E025BB3C5F817F4918C3715272A075378359D9155F1E8B94CE715D2987,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:19.302{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD1A90E70E4D93ED8DEB9FC1BE03FDF,SHA256=344FB77D7482AEDA6ED4FDEF700015315D55A3D0413763F442CCAFB40FBB9B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:16.684{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52780-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:20.302{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEFA0F6568E2D76F19A681D295922A5,SHA256=FBF5CF2BA760621D85E9FF1C15D89EE36E8C0EC8164F08DFDDB62B299CEEC790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:20.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E830A1587DAFB9899FC431B1E2D33C0F,SHA256=326722F11F63BE0887DAE8C6092AC144728A1ED4AC3A6AA8447570DA6615EE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:21.440{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A851CB1CD35C049043551DBCE707A30C,SHA256=49544537A8DE5099E04B74C2125817708C55E5829CA8259F1DBF32F57110216E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:21.318{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D40911D0F4D381565FACD003CE5D66F9,SHA256=8371B4132F5358F073ACB15E231645BF28CCA3C593F3D0BD799BF36CA185833A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:21.076{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A31A190E9809F6AA8EC9203376DE33,SHA256=CDCD15D9107BE875B43ACD558F7E818606F3BDCFF57C72E041470CB974499B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:21.075{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8A42C28B382D26CF10ADFECBAA4CBE7,SHA256=4698CE4A1A97CBB116223193F5F1409536B9E86B9F9E952F5654E03FC6C78252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:22.540{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DD8D31A7E79703638A6E82D378AEF0,SHA256=F3B5DCD82F0B6BBE8E1A1F674599B571B4D36E6EA7D0E79AE37DD30D4BE01A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:22.318{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4C4E138925119EDB02F138B72EBFAF,SHA256=315CB1610355A44068F465E86D823AA18157D9B79363648EEF0FFA8517BF92F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:22.356{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A31A190E9809F6AA8EC9203376DE33,SHA256=CDCD15D9107BE875B43ACD558F7E818606F3BDCFF57C72E041470CB974499B09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:20.303{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51170-false10.0.1.12-8000- 23542300x8000000000000000671091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:23.554{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D8169ACCD85B54229FA8E8909F45758,SHA256=83A5470EEECFCA7007006DD06EA6FA77C1B6F99364F4268F3760693857A1E618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:23.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679C782B2E14229E0E51F2379CD5AA52,SHA256=E76A88C6866B2063D0935AFFBACD3D41A9FB2FA297AFB23F49FBA98AA1DF56A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:24.349{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EDB1E4D6A7FA5770A42E3CC6AF79B8,SHA256=25481C69869D85AEEFA230DA5FDE461B3D826886D2E0D262BA48B37341E453B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:24.574{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9F1797CCF6944A570DAAB23F8BD08D0,SHA256=7C15F8AF6D819C142D3B114AEAE0AE04DA8F260E54A76F75598109CFB4CF0F51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:24.302{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01FBA9DCF60FB2AFA8EBBF6D57B954E3,SHA256=F8C6040BD640F269837FF74158BEEDF2F2C5B91FDA2D4C9819993963C5F9FAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:24.302{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F84BEEB5FF7CCF400E63CC4EE641EC5,SHA256=D6E09A8D1D4A65A02C1A496F5A9AC47E7BDAB001B67675B2088DA3462D4EBEC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:25.589{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362F5BF7B4F7415BE1FD2C4A79FEC0AF,SHA256=4273DB2D62D4AD8EECF305D050EF40D66488A9E7563DACE708C1EE2063CDB905,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.896{E1BD9FC2-7FB9-609D-F650-00000000BB01}3432700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FB9-609D-F650-00000000BB01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7FB9-609D-F650-00000000BB01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.771{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FB9-609D-F650-00000000BB01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.772{E1BD9FC2-7FB9-609D-F650-00000000BB01}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:25.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AE81FCB1DE05D08C3432AEC9526CB6,SHA256=490233F680CE93C9ACB40D00902928073FBB65DC2E440351CB6CFEED59EAD8C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:22.699{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52781-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000671094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:25.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A3F27FF1113F49FA774B583E747B0B1,SHA256=9C5F18CBA76A934548532A8B67376EBF45D822035226F9907DC5CB92509A14D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:25.236{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:26.620{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E594D62905BA4EE6209988A27B39487,SHA256=49EE8F3BCD1D2B26AE741F4B4BAFD7E84E1306C5199944D749490A6B9500E47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.814{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01FBA9DCF60FB2AFA8EBBF6D57B954E3,SHA256=F8C6040BD640F269837FF74158BEEDF2F2C5B91FDA2D4C9819993963C5F9FAE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FBA-609D-F750-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7FBA-609D-F750-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.393{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FBA-609D-F750-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.394{E1BD9FC2-7FBA-609D-F750-00000000BB01}2868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:26.377{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AB2890C0D31050F48B9E372CD41F239,SHA256=E9AFE015C8AD2483FEE5DEECC9DC2BCB342F5E536D257008E6D473F776084525,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:24.468{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51171-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000671096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:24.468{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51171-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 13241300x8000000000000000671103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:36:27.837{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7482f-0x445dcb86) 23542300x8000000000000000671102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:27.653{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C45F8D56D6095C3E6D3CF8BBB81ACF,SHA256=329EFB053E001AF917AA0FE09EAA7D46BFFEACA711A1935DD97C4C0AB6CD63C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.642{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BEBB4CD7D34E8BA2A9C78E9B3BE20E,SHA256=C5E5805CFB625A34C565120247ADEBAA8C902D3E24320F93106E5043BCDCA2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:27.338{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF5F6A4B72A4027C6D1A64097A165B41,SHA256=DD647B5D615CF7EF3473AD2A348E3EB019BC7751C778D7E9807B0D76C7D170C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:25.466{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51173-false10.0.1.12-8089- 354300x8000000000000000671099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:25.335{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51172-false10.0.1.12-8000- 10341000x8000000000000000572565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FBB-609D-F850-00000000BB01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7FBB-609D-F850-00000000BB01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.018{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FBB-609D-F850-00000000BB01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.019{E1BD9FC2-7FBB-609D-F850-00000000BB01}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:28.672{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057532005C3E4BFF91C325C85CB14663,SHA256=4B72CFD84BD8D7B32675437FE3CDA17EE0B0C1B71099823F7CCB66B5A9D359EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:28.658{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7A9F6845F25E9A042F2715BFA5AC4B,SHA256=85827F3A835E44CA7D59B1704057EA6302B859AECCFCF9C5B2464BB01FF855B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:28.033{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24B8FE412F9759A8E1A1AB24E9DD83FA,SHA256=6F5124CF035F4FAA6A543186E17091C08FC081B5F53687BCCF0EBAFEEE533B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:29.814{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:29.705{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81845F17F4DC879398DDB995FB0D45A9,SHA256=CDFFB95A323362C7002B1E8729F7D239E5AA6859C81A0EB87BC2E4E999A780C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:29.689{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFE711B62A647659291D924570C6042,SHA256=455F28491D29937090469A5C6DC30B5D42B1BC0A10882C85D4E5DFBCC09AC4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:29.143{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF02FADB29559DA9AC76E54794720D74,SHA256=A10DA0877E0D371610637686C92CCAA876CEEFEC8F34C99172E57A10657903A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:30.830{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31F228D8C27730F53BBB099DB24C922F,SHA256=294095A54770A40277FC0CB6A256C8D0FA6E3434FBC5B94A29293B755FE4E889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:30.721{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297D8AE1B5510F388FDA7A31CD4D0FF6,SHA256=5D702A25298F15B86AC0ED0E4C5135CCACB85FCF86BB14859150757482F3E54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:30.720{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324B4BD1C771C405CA9BEF055F4DBC08,SHA256=E8A51EDC0BDCE54D4E2A43AEE0193D1A7F1FBB1FA2598A95EB60963F430F16BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:27.742{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52782-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:31.754{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=960DB46C490272ABEBF8D2D76DF7C472,SHA256=FC69F04807162D50D47812A22081ED507C471E04C95AF36B0BAB47C3F791F798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:31.736{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207317FEF964D04305E8A7DD0129DB3B,SHA256=C0FA1EEDA8C18A96964DAB107E4ACB2DF4DD7C577FF5C42857D5DF90D3A19352,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:29.430{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52783-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000572577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:32.846{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EC012726A3325B92DCFB0D3A5485EB,SHA256=59B76DB109B34A8B28A49047F267528B16D903E5010C6E67AE56F1517C22285C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:32.750{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF415A15E8BE384A6B3F0D97F546D3,SHA256=B200C24E7C85C4F58CB52FCE933DEB941C2C7939A5C1E2AC4C7357E196B06C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:32.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7C99C52591A35DE4D92279C318AA6A0,SHA256=048535B8ED54E22B6D8E8BCCE7EFA3AD88BA5ABDF0C7E06A378DE64AEEDE434D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:33.771{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E782E31A22E6867729033E5C6AD0FC,SHA256=362D75285C29B951E15016D3D9D58D833EAFFD1B05F0290C8293D06503D9E484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:33.894{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D09B463B213E221AF1B159BBA7F0D9,SHA256=52ECB9EEF8B56763B10F92A23871F1A27AA58861CFF98CA8DCEE2C75282491F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:31.366{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51174-false10.0.1.12-8000- 23542300x8000000000000000572581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:34.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE7DDA93FCA04C20525CA1B18ECC734,SHA256=F034994743C251BE06CEA97BFA92795E4980BAD6A3AF7353AEACE649A67A69C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:34.785{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB6904390AF10F0439E2DA3D807C2B7,SHA256=A95826985C01958F98572C3E340FBCDF2CBC12980FDD9B08E477AFA6B2651C2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:32.837{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52784-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:34.253{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33D62AE708F2A6214E0F686D18FFDDB9,SHA256=176F5780D18BDF28E0CFA19239BDBB5E078B01569DB2C3F210DE1586C1E5C1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38F9CAB3DD48A60C8E821A2C03F4BF2,SHA256=70EEECC142FA3760F67FA4E37EEA0031105D2B7D6EC6114E8BAD4FA1AF7E354A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FC3-609D-FA50-00000000BB01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7FC3-609D-FA50-00000000BB01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.878{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FC3-609D-FA50-00000000BB01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.879{E1BD9FC2-7FC3-609D-FA50-00000000BB01}2552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.331{E1BD9FC2-7FC3-609D-F950-00000000BB01}2163616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FC3-609D-F950-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7FC3-609D-F950-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.206{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FC3-609D-F950-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:35.207{E1BD9FC2-7FC3-609D-F950-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000671113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.517{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000671116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:36.847{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EFB29CEAA98A808466D4BAC8C14FD36,SHA256=5E7E02AFFB170F3117C3A2838443800CF04DD9D709D765B40B821D60AC7F17AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.612{E1BD9FC2-7FC4-609D-FB50-00000000BB01}29443280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FC4-609D-FB50-00000000BB01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7FC4-609D-FB50-00000000BB01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.487{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FC4-609D-FB50-00000000BB01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.488{E1BD9FC2-7FC4-609D-FB50-00000000BB01}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=23B8DEE7C48B58A4CF362115F3B30014,SHA256=EC2CAE206EDD3BB692228611E2171199F795A30F654C899DECF0383E0BBF26E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.159{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB869184368D9F0A99A62064015E050,SHA256=624143E7A70CC264364680F31062ABD3836A9BD1567543354DB0924038812782,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:36.050{E1BD9FC2-7FC3-609D-FA50-00000000BB01}25522528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:36.465{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA497CE1847D111E53E31ACD8B9E46D9,SHA256=EFC8A7578FFB498F93657D9EA54D3FE028CCDC86536BF173CAB59B2C946BC32B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.883{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A034FB689C77FB3FEECC854332BB9B35,SHA256=4CA2AEDABB647AA51C8ED65CAB350DD4F5FE054C5587715C8E0EC355DFA69974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.487{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=650FCC08E44698EE9DB07B6DD0D79D95,SHA256=ECFE9D8433312DDC4593585DE9612BA53E12E0A1F96C3C81215BAEE54CBF3D8B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FC5-609D-FC50-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7FC5-609D-FC50-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.159{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FC5-609D-FC50-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.160{E1BD9FC2-7FC5-609D-FC50-00000000BB01}788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE1FD96B19CDF5B3F63505D3A8C27326,SHA256=B31A67A8E3F4A9B63C9AB7A623281C3ECAE6C6EE8DD243E71128A6CE35EF1048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.467{7B03F3B2-7FC5-609D-F355-00000000BA01}6927248C:\Windows\system32\conhost.exe{7B03F3B2-7FC5-609D-F255-00000000BA01}7084C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.446{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FC5-609D-F355-00000000BA01}692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.430{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.430{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.430{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.430{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC5-609D-F255-00000000BA01}7084C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.430{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.430{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-7FC5-609D-F255-00000000BA01}7084C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.415{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.415{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:37.415{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000671127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:36.408{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51180-false10.0.1.12-8000- 354300x8000000000000000671126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.770{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51179-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000671125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.770{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51179-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000671124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.767{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51178-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000671123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.767{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51178-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local49666- 354300x8000000000000000671122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.766{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51177-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000671121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.766{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51177-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000671120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.658{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local51176-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000671119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.658{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51176-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000671118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.650{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51175-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000671117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:35.650{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51175-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 23542300x8000000000000000671249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.978{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74FC1AC5A8A9C63DF979B2651A33886,SHA256=DD1A9AD31D8413740BD68CD655205332795859186C1F7112E5408B45F22EFA2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.955{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18110F7C147E1ED537153D2943468272,SHA256=F5E6D632AEB77E6A4CD068725A9B0D5ADA0A00E74E9A24FE05B4A47E95D307A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.954{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=558249E6BB0A1E35AACE7CE76AD9575F,SHA256=987FC55A468DB35B471542AE4A33B7575C35114E8AABD6CFB74C6B4678BEA174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.894{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=14D8A66E4ED06314E898913FEFCED77E,SHA256=5FE24B65F27E89135E4BA2B2D4A31549F9EB5E7EAFF4CE67E9F4515CF6476A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.872{7B03F3B2-D0CA-609A-1600-00000000BA01}1304NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.868{7B03F3B2-D0CA-609A-1300-00000000BA01}92NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.logMD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x8000000000000000572641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:38.066{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB1756558121B10D5F605B57E22E204,SHA256=43AEEB2FF9CFAB7FCF994CDBD1150E8F7CB37F43597C49FAC84B1F35568D8E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.831{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=14D8A66E4ED06314E898913FEFCED77E,SHA256=5FE24B65F27E89135E4BA2B2D4A31549F9EB5E7EAFF4CE67E9F4515CF6476A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.815{7B03F3B2-7FC6-609D-FF55-00000000BA01}81043272C:\Windows\System32\svchost.exe{7B03F3B2-D0CA-609A-1300-00000000BA01}92C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+7b27|c:\windows\system32\appxdeploymentserver.dll+2db00|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.802{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.802{7B03F3B2-7FC6-609D-F855-00000000BA01}80285724C:\Windows\system32\compattelrunner.exe{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\compattelrunner.exe+53b1|C:\Windows\system32\compattelrunner.exe+3ef9|C:\Windows\system32\compattelrunner.exe+2b7f|C:\Windows\system32\compattelrunner.exe+1522d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.772{7B03F3B2-7FC6-609D-FF55-00000000BA01}81043272C:\Windows\System32\svchost.exe{7B03F3B2-D0CA-609A-1300-00000000BA01}92C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.771{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.717{7B03F3B2-D0CA-609A-1300-00000000BA01}92NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.logMD5=FCD6BCB56C1689FCEF28B57C22475BAD,SHA256=DE2F256064A0AF797747C2B97505DC0B9F3DF0DE4F489EAC731C23AE9CA9CC31,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 10341000x8000000000000000671233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.701{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-D0CA-609A-1300-00000000BA01}92C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.701{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-D0CA-609A-1300-00000000BA01}92C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.685{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F59B207B2604A8788D50F1191837C76E,SHA256=F6D049D65F72F79CBA2AF77E3806F485BB13A7B4DAD40D16B8EDE23B93631312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.685{7B03F3B2-7FC6-609D-0156-00000000BA01}22404732C:\Windows\system32\conhost.exe{7B03F3B2-7FC6-609D-FE55-00000000BA01}844C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.685{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.670{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.670{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.670{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.670{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89855F03305833E87AB3A89564D1674,SHA256=8D9EDB6C66EB84F87B4206EEC060BE84AA137B02338B6C7F70767013E825B9B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.617{7B03F3B2-D0CA-609A-1600-00000000BA01}13046208C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.617{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.617{7B03F3B2-D0C8-609A-0A00-00000000BA01}6248140C:\Windows\system32\services.exe{7B03F3B2-7FC6-609D-FF55-00000000BA01}8104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.617{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-FF55-00000000BA01}8104C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.617{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-0156-00000000BA01}2240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FF55-00000000BA01}8104C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0C8-609A-0A00-00000000BA01}6247176C:\Windows\system32\services.exe{7B03F3B2-7FC6-609D-FF55-00000000BA01}8104C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.586{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FE55-00000000BA01}844C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.570{7B03F3B2-D0CA-609A-1600-00000000BA01}13044380C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-FE55-00000000BA01}844C:\Windows\system32\disksnapshot.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.570{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.567{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.567{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.566{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.566{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FD55-00000000BA01}4692C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-7FC6-609D-F855-00000000BA01}80285724C:\Windows\system32\compattelrunner.exe{7B03F3B2-7FC6-609D-FD55-00000000BA01}4692C:\Windows\system32\CompatTelRunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\compattelrunner.exe+53b1|C:\Windows\system32\compattelrunner.exe+3ef9|C:\Windows\system32\compattelrunner.exe+2b7f|C:\Windows\system32\compattelrunner.exe+1522d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.548{7B03F3B2-D0CA-609A-1600-00000000BA01}13044380C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.532{7B03F3B2-7FC6-609D-FB55-00000000BA01}53966308C:\Windows\system32\conhost.exe{7B03F3B2-7FC6-609D-F955-00000000BA01}6724C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-7FC6-609D-FA55-00000000BA01}7726788C:\Windows\system32\conhost.exe{7B03F3B2-7FC6-609D-F855-00000000BA01}8028C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FB55-00000000BA01}5396C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.517{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.501{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.501{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-F955-00000000BA01}6724C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.501{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-FA55-00000000BA01}772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.501{7B03F3B2-D0CA-609A-1600-00000000BA01}13044380C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-F955-00000000BA01}6724C:\Windows\system32\dstokenclean.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.485{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.485{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.485{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.470{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.470{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.470{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-F855-00000000BA01}8028C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.470{7B03F3B2-D0CA-609A-1600-00000000BA01}13044380C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-F855-00000000BA01}8028C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.448{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-F555-00000000BA01}7784C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-F555-00000000BA01}7784C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.432{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39243EF234C54A4DAE444795BABDE951,SHA256=ABE422CC48A9D316EDBD59E0458E907E08CD54C8D2FAE2B2FAB7A9E2B6C9DC25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-F555-00000000BA01}7784C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC6-609D-F555-00000000BA01}7784C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.417{7B03F3B2-D0CA-609A-1600-00000000BA01}13044380C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-F555-00000000BA01}7784C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+2039|c:\windows\system32\UBPM.dll+2be0|c:\windows\system32\UBPM.dll+16d25|c:\windows\system32\UBPM.dll+4552|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:38.385{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.998{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FC7-609D-0456-00000000BA01}7812C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.945{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000671434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.945{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.929{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa7ba732.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.929{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\aborted-session-pingMD5=554258D49A4F738F578C9895A715E155,SHA256=9B36E38138F87CB949CF3CE4F8C352EC0D28AFCE12E3FCF4718CB2E4D7A9EC23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.929{7B03F3B2-7FC7-609D-0656-00000000BA01}10402780C:\Windows\system32\conhost.exe{7B03F3B2-7FC7-609D-0B56-00000000BA01}5280C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.914{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0B56-00000000BA01}5280C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.914{7B03F3B2-7FC7-609D-0456-00000000BA01}78127352C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{7B03F3B2-7FC7-609D-0B56-00000000BA01}5280C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(00000000011F4853)|UNKNOWN(00000000011F4504)|UNKNOWN(00000000011F5A9B)|UNKNOWN(00000000011F28F8)|UNKNOWN(00000000011F0F66)|UNKNOWN(00000000011F0950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f036(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+122da(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1859b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1992d7(wow64) 23542300x8000000000000000671428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.898{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F000DFD38478093688740577D15C86,SHA256=155D2662E3BAEDB0DF21234950E7A3929E725E17B107011261B0221C44AB4B8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.898{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-7FC7-609D-0A56-00000000BA01}5272C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.898{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-7FC7-609D-0A56-00000000BA01}5272C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.861{7B03F3B2-7FC7-609D-0656-00000000BA01}10402780C:\Windows\system32\conhost.exe{7B03F3B2-7FC7-609D-0A56-00000000BA01}5272C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.830{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0A56-00000000BA01}5272C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.830{7B03F3B2-7FC7-609D-0456-00000000BA01}78127352C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{7B03F3B2-7FC7-609D-0A56-00000000BA01}5272C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(00000000011F4853)|UNKNOWN(00000000011F4504)|UNKNOWN(00000000011F2103)|UNKNOWN(00000000011F0F66)|UNKNOWN(00000000011F0950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f036(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+122da(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1859b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1992d7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb7fa(wow64) 10341000x8000000000000000671422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.814{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000671421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.814{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000671420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.699{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B467E3279F3DE48AB0C55DCC3F56EF,SHA256=1D45409971A631D809F0B7F7EEB0378955DC51051F00A4944BAF5060783218D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FC7-609D-0956-00000000BA01}5176C:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\dismhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0956-00000000BA01}5176C:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.661{7B03F3B2-7FC6-609D-FC55-00000000BA01}49884584C:\Windows\system32\cleanmgr.exe{7B03F3B2-7FC7-609D-0956-00000000BA01}5176C:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\system32\Dism\DismCore.dll+273f6|C:\Windows\system32\Dism\DismCore.dll+8eaa|C:\Windows\system32\Dism\DismCore.dll+58d4|C:\Windows\system32\DismApi.DLL+55381|C:\Windows\system32\DismApi.DLL+2c46a|C:\Windows\system32\DismApi.DLL+25f06|C:\Windows\system32\DismApi.DLL+24ceb|C:\Windows\system32\DismApi.DLL+2466f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.663{7B03F3B2-7FC7-609D-0956-00000000BA01}5176C:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismHost.exe10.0.14393.4169 (rs1_release.210107-1130)Dism Host Servicing ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationDismHost.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\dismhost.exe {0B110B20-DB9C-4E09-9922-52B90F4DCFD6}C:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\System32\cleanmgr.exeC:\Windows\system32\cleanmgr.exe /autoclean /d C: 11241100x8000000000000000671411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-winsvc-l1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-private-l1-1-1.dll2021-05-13 19:36:39.630 11241100x8000000000000000671409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-private-l1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-management-l2-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-management-l1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-core-l1-1-1.dll2021-05-13 19:36:39.630 11241100x8000000000000000671405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-core-l1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-security-sddl-l1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-security-provider-L1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.630{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-security-lsapolicy-l1-1-0.dll2021-05-13 19:36:39.630 11241100x8000000000000000671401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Security-Lsalookup-L2-1-1.dll2021-05-13 19:36:39.614 11241100x8000000000000000671400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Security-Lsalookup-L2-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-security-cryptoapi-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-security-base-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-EventLog-Legacy-L1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-Provider-L1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-Legacy-L1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-Controller-L1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-eventing-consumer-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-devices-config-L1-1-1.dll2021-05-13 19:36:39.614 11241100x8000000000000000671390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-devices-config-L1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-xstate-l2-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-xstate-l1-1-0.dll2021-05-13 19:36:39.614 23542300x8000000000000000671387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.614{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3A15C090154B3EEC3F7FCCF8289150F0,SHA256=F2A107F50D0CA8D646870DEC649EBE4CA17620E429891E92AFF4A7134F5D74C7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000671386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-wow64-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-version-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-util-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-url-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.614{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-timezone-l1-1-0.dll2021-05-13 19:36:39.614 11241100x8000000000000000671381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-threadpool-private-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-threadpool-legacy-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-threadpool-l1-2-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-sysinfo-l1-2-1.dll2021-05-13 19:36:39.599 11241100x8000000000000000671377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-sysinfo-l1-2-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-sysinfo-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-synch-l1-2-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-synch-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-stringloader-l1-1-1.dll2021-05-13 19:36:39.599 23542300x8000000000000000671372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.599{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3A15C090154B3EEC3F7FCCF8289150F0,SHA256=F2A107F50D0CA8D646870DEC649EBE4CA17620E429891E92AFF4A7134F5D74C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.599{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEB5A4516235FA2383C852EB57BAF8FE,SHA256=A7B838D0FF97B513D469857B468C63C37DA857B59DCA38557C2EC43F84452204,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000671370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-stringansi-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-string-obsolete-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-string-l2-1-0.dll2021-05-13 19:36:39.599 23542300x8000000000000000671367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.599{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE49DCA84B2059C163C4A9382BD08B60,SHA256=0C1EF0365AA0B51A6753FB8712336D4A08E54E22850BB5E9FC5FE15823DD7815,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000671366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-string-l1-1-0.dll2021-05-13 19:36:39.599 23542300x8000000000000000671365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.599{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C145C4D5E2C35FD12561ED0E19132289,SHA256=79D44ED3EB87BA76E1F3488B4ECD9D71D87F354B2066BC4F69B4F4C5EF377C31,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000671364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-shutdown-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.599{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll2021-05-13 19:36:39.599 11241100x8000000000000000671362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-shlwapi-legacy-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-rtlsupport-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-registry-l2-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-registry-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-realtime-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-profile-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processtopology-obsolete-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processthreads-l1-1-2.dll2021-05-13 19:36:39.583 11241100x8000000000000000671354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processthreads-l1-1-1.dll2021-05-13 19:36:39.583 11241100x8000000000000000671353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processthreads-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processenvironment-l1-2-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processenvironment-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-privateprofile-l1-1-1.dll2021-05-13 19:36:39.583 11241100x8000000000000000671349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-privateprofile-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-namedpipe-l1-1-0.dll2021-05-13 19:36:39.583 11241100x8000000000000000671347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-memory-l1-1-2.dll2021-05-13 19:36:39.583 11241100x8000000000000000671346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-memory-l1-1-1.dll2021-05-13 19:36:39.583 11241100x8000000000000000671345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.583{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-memory-l1-1-0.dll2021-05-13 19:36:39.582 11241100x8000000000000000671344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.582{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-localization-obsolete-l1-2-0.dll2021-05-13 19:36:39.581 11241100x8000000000000000671343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.581{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-localization-l1-2-1.dll2021-05-13 19:36:39.581 11241100x8000000000000000671342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.580{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-localization-l1-2-0.dll2021-05-13 19:36:39.580 11241100x8000000000000000671341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.580{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-libraryloader-l1-1-1.dll2021-05-13 19:36:39.578 11241100x8000000000000000671340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.578{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-libraryloader-l1-1-0.dll2021-05-13 19:36:39.578 11241100x8000000000000000671339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.577{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll2021-05-13 19:36:39.577 11241100x8000000000000000671338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-kernel32-legacy-l1-1-1.dll2021-05-13 19:36:39.561 11241100x8000000000000000671336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-kernel32-legacy-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-io-l1-1-1.dll2021-05-13 19:36:39.561 11241100x8000000000000000671334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-io-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-interlocked-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-heap-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-handle-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-file-l2-1-1.dll2021-05-13 19:36:39.561 11241100x8000000000000000671328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-file-l2-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-file-l1-2-1.dll2021-05-13 19:36:39.561 11241100x8000000000000000671326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-file-l1-2-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-file-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-fibers-l1-1-1.dll2021-05-13 19:36:39.561 11241100x8000000000000000671323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-fibers-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-errorhandling-l1-1-1.dll2021-05-13 19:36:39.561 11241100x8000000000000000671321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-errorhandling-l1-1-0.dll2021-05-13 19:36:39.561 11241100x8000000000000000671320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.561{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-delayload-l1-1-0.dll2021-05-13 19:36:39.546 11241100x8000000000000000671319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.546{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-debug-l1-1-1.dll2021-05-13 19:36:39.546 11241100x8000000000000000671318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-debug-l1-1-0.dll2021-05-13 19:36:39.530 11241100x8000000000000000671317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-datetime-l1-1-1.dll2021-05-13 19:36:39.530 11241100x8000000000000000671316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-datetime-l1-1-0.dll2021-05-13 19:36:39.530 11241100x8000000000000000671315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-console-l1-1-0.dll2021-05-13 19:36:39.530 11241100x8000000000000000671314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-comm-l1-1-0.dll2021-05-13 19:36:39.530 11241100x8000000000000000671313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-com-l1-1-0.dll2021-05-13 19:36:39.530 11241100x8000000000000000671312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-base-util-l1-1-0.dll2021-05-13 19:36:39.530 11241100x8000000000000000671311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\WimProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\VhdProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\UnattendProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\TransmogProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\SmiProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\ProvProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\OSProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\OfflineSetupProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.530{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\MsiProvider.dll2021-05-13 19:36:39.530 11241100x8000000000000000671302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\LogProvider.dll2021-05-13 19:36:39.514 11241100x8000000000000000671301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\IntlProvider.dll2021-05-13 19:36:39.514 11241100x8000000000000000671300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\ImagingProvider.dll2021-05-13 19:36:39.514 11241100x8000000000000000671299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\IBSProvider.dll2021-05-13 19:36:39.514 11241100x8000000000000000671298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\GenericProvider.dll2021-05-13 19:36:39.514 11241100x8000000000000000671297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\FolderProvider.dll2021-05-13 19:36:39.514 11241100x8000000000000000671296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.514{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\FfuProvider.dll2021-05-13 19:36:39.514 10341000x8000000000000000671295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.399{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FC7-609D-0356-00000000BA01}7868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000671294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.399{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DmiProvider.dll2021-05-13 19:36:39.399 11241100x8000000000000000671293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.399{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismProv.dll2021-05-13 19:36:39.383 11241100x8000000000000000671292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localEXE2021-05-13 19:36:39.383{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismHost.exe2021-05-13 19:36:39.383 11241100x8000000000000000671291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.383{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismCorePS.dll2021-05-13 19:36:39.383 11241100x8000000000000000671290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.383{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismCore.dll2021-05-13 19:36:39.383 11241100x8000000000000000671289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.383{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\CompatProvider.dll2021-05-13 19:36:39.383 11241100x8000000000000000671288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.383{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\CbsProvider.dll2021-05-13 19:36:39.315 10341000x8000000000000000671287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.362{7B03F3B2-7FC7-609D-0556-00000000BA01}11404520C:\Windows\system32\conhost.exe{7B03F3B2-7FC7-609D-0856-00000000BA01}5252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.362{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0856-00000000BA01}5252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.362{7B03F3B2-7FC7-609D-0356-00000000BA01}78681272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{7B03F3B2-7FC7-609D-0856-00000000BA01}5252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFD2C345A07) 10341000x8000000000000000671284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.346{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-7FC7-609D-0756-00000000BA01}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.346{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-7FC7-609D-0756-00000000BA01}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.330{7B03F3B2-7FC7-609D-0556-00000000BA01}11404520C:\Windows\system32\conhost.exe{7B03F3B2-7FC7-609D-0756-00000000BA01}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.330{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0756-00000000BA01}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.330{7B03F3B2-7FC7-609D-0356-00000000BA01}78681272C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{7B03F3B2-7FC7-609D-0756-00000000BA01}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFD2C345A07) 11241100x8000000000000000671279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.315{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\AssocProvider.dll2021-05-13 19:36:39.315 11241100x8000000000000000671278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localDLL2021-05-13 19:36:39.315{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\AppxProvider.dll2021-05-13 19:36:39.315 10341000x8000000000000000671277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.262{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.215{7B03F3B2-7FC7-609D-0656-00000000BA01}10402780C:\Windows\system32\conhost.exe{7B03F3B2-7FC7-609D-0456-00000000BA01}7812C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.199{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0656-00000000BA01}1040C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.165{7B03F3B2-7FC7-609D-0556-00000000BA01}11404520C:\Windows\system32\conhost.exe{7B03F3B2-7FC7-609D-0356-00000000BA01}7868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.156{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0556-00000000BA01}1140C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.156{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.156{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.155{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.155{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.153{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0456-00000000BA01}7812C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.153{7B03F3B2-7FC6-609D-F455-00000000BA01}50447668C:\Windows\system32\taskhostw.exe{7B03F3B2-7FC7-609D-0456-00000000BA01}7812C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|UNKNOWN(00007FFD2C3515F2) 154100x8000000000000000671266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.152{7B03F3B2-7FC7-609D-0456-00000000BA01}7812C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:388C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=196F531423F864F990B24F3D3AFA9AA1,SHA256=353C8C617C87A56F93C9914E219BE4E30A45A0DEA8D98BF34C6BD81A6A287916,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{7B03F3B2-7FC6-609D-F455-00000000BA01}5044C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x8000000000000000671265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.152{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.152{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.152{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.152{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.151{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FC7-609D-0356-00000000BA01}7868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.151{7B03F3B2-7FC6-609D-F455-00000000BA01}50444024C:\Windows\system32\taskhostw.exe{7B03F3B2-7FC7-609D-0356-00000000BA01}7868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|UNKNOWN(00007FFD2C3515F2) 154100x8000000000000000671259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.149{7B03F3B2-7FC7-609D-0356-00000000BA01}7868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:892C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=D2DDF021EE6A8A649FB58F6DD05EDED7,SHA256=AC1B312B5D048DAC81327CF083BDEF2966AA883208455490E73D6E34C932B7D9,IMPHASH=00000000000000000000000000000000{7B03F3B2-7FC6-609D-F455-00000000BA01}5044C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x8000000000000000671258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.147{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.146{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988C:\Windows\system32\cleanmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.118{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.115{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.115{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:39.237{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E87B0B49DEFD40D6541DAD6640035D6,SHA256=67D86B10F5A3734694425B8E3D612BD1C7B4287B3D66C7D229B30CCF760CE14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:39.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C467EC102D08D9F6A4D567CD17115C,SHA256=3B92838392587FA98DAD39C8A047821E934600EE05D1D523760C3734D7CA25BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:40.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9EC468B70B93ADC0697AB9C4D82FEE,SHA256=E6A0CFAC1E3AF35B6F09B60DE9A6E450A52521382A1CB6CC4F67EC0A2E9D8ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:40.513{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB4397DBD3B7155D65834CE4AD94D35E,SHA256=CAE51731A744C5570D93BAA65A0177138DB950F8E43D6E6FE941C41C2D1D3CF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:37.853{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52785-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:40.144{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA51ED69C823A5E3BFBECF5A91807BE2,SHA256=15CFF71035D595A1374910039061BFC236157372BB211FA0CE8EF449840AD654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:41.926{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E3D5C17BAB74867AE06B066D7AAE9A,SHA256=44E6C7A4C9CF647EE551603DF19C8251A306D8F62DB3A1C60797C5A403EBB723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:41.191{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36243D0F375FB71F22534C15B6D7683,SHA256=6524BDE8018807972B51C1F62B7A5B296A3ED2248DDCA3E6CBEB32678BFE55FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:40.159{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEtcptruefalse10.0.1.14win-dc-18.attackrange.local51184-false23.199.80.166a23-199-80-166.deploy.static.akamaitechnologies.com443https 354300x8000000000000000671443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:40.123{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51160- 354300x8000000000000000671442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.804{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51183-false40.126.29.5-443https 354300x8000000000000000671441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.522{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51182-false72.21.91.29-80http 354300x8000000000000000671440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.498{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53428- 354300x8000000000000000671439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:39.426{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51181-false40.126.29.5-443https 23542300x8000000000000000671447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:42.942{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9694413BDFCB374F936CC3C806DE5AE,SHA256=D081178EAE96FCC130BFA0D945CE3E20CE5309FB384D4F52992FB2A4B39BC7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:42.206{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F01957EE8B5E4B637538080011C346CD,SHA256=7C19D0221F382DBE820694E17D8A59C1B4B278E8885E036A9A3B705FB30742B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:42.327{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=589B5A6A84CC431E799B8BCCD3C2B73F,SHA256=0168B3BE5D37D96607B8294388278D1F1B02EF7311D09E3DF4C8833B6DFF7B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:43.957{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1981341A08EE3AE0F4BDC491E5A5B2,SHA256=C07B2958BAF134BF989BCF960051D55548A7A12F5630B263C5B56526A8CFD546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:43.237{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D587089AA014BD1932B93E713DCBCF6,SHA256=069583BFE7D7B21F5C0A7D672D5B2B90C3D565DE0DD7BEFB2F6A0061DB29C165,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:43.925{7B03F3B2-7FC6-609D-0256-00000000BA01}65928128C:\Windows\system32\CompatTelRunner.exe{7B03F3B2-7FC6-609D-F855-00000000BA01}8028C:\Windows\system32\compattelrunner.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\invagent.dll+427c2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000671452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:42.287{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51185-false10.0.1.12-8000- 354300x8000000000000000671451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:41.572{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1win-dc-18.attackrange.local55096-false127.0.0.1win-dc-18.attackrange.local53domain 354300x8000000000000000671450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:41.557{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-18.attackrange.local53domainfalse127.0.0.1win-dc-18.attackrange.local55096- 354300x8000000000000000671449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:41.557{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:c1eb:8987:ffff-55096-true7f00:1:5:0:10:0:0:0-53domain 354300x8000000000000000671448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:41.520{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55096- 23542300x8000000000000000572649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:44.269{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D0582A0BF2B4C79129F8455AC537A3,SHA256=F9055EF521C796CF22F9F1EAB7C1A5929CA636A627657FC449020CCB98E2F4EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:43.853{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52786-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:45.284{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61A41F84B472632EBBB589FE16C073BA,SHA256=28946D798E2F6D1F4EB10F2239DF02612344BB719EC5AE3A972B812D4C3EDE9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.240{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FCD-609D-0C56-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.224{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.224{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.224{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.224{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.224{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FCD-609D-0C56-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.224{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FCD-609D-0C56-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.094{7B03F3B2-7FCD-609D-0C56-00000000BA01}7184C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3FADC410BB21462412A202143212D7,SHA256=DC84085945E124209223AFD6F04EB8F5532426AC3CAB32BCDB3EE68AE22320FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:45.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB4172C3DE47D063A103AB61E97AF73,SHA256=2533AC08447C36F94A4381E3DD46553416A9DA2312FD16EB1205E785E29FD585,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:45.222{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C02D164BDEEFFC4057323F2D70AEFD5,SHA256=3602623983499072532D33DF02341F9BC7BD97EB66C6FE44D1D319FC023C64F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:46.331{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A50FA8AE91E3B412852DA8207CDD400D,SHA256=0AD6F782E23F9E9FDE7F5A1E2B2954FD6C6BE6618FA1C106BCB1AFBBE5841954,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.983{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FCE-609D-0E56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.981{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.981{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.980{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.980{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.980{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FCE-609D-0E56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.980{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FCE-609D-0E56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.856{7B03F3B2-7FCE-609D-0E56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.209{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF1574AD632E3E2AF37F15DC578A23E,SHA256=C3C4CC122968FE0652A8C7EE649C5F812BA3434CA1D94EA654C698197A0474C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.146{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FCD-609D-0D56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.130{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.130{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.130{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.130{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.130{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FCD-609D-0D56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.130{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FCD-609D-0D56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:45.972{7B03F3B2-7FCD-609D-0D56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:46.114{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC5A6CC7AB1193A57900039207BFB799,SHA256=F3D4B32BF6D14C327A56AE375A780BEEFBAD646ACB296AA2ED431D4400B78293,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.800{7B03F3B2-7FCF-609D-0F56-00000000BA01}79965148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FCF-609D-0F56-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FCF-609D-0F56-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.600{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FCF-609D-0F56-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.480{7B03F3B2-7FCF-609D-0F56-00000000BA01}7996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.316{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBD8BE829533FFF1005EC5A5320E334D,SHA256=EF91E1FB111BDF56F81578E7B4A259AB7197B796CD09825E7AE873E1A5FC5331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.216{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6BC1211E46333D8EB2A21BE6D61BB7,SHA256=A521B41ED731EE431E36F3C97C5E7CD400AAE3F645E50C55F214B3DFCB4125A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:47.367{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB9F1388775EEAC3419FA104E44B0918,SHA256=3C29C29745326105E27D931011AD8FE36EE945FABBAFA24EDCD0FF0B886580A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.175{7B03F3B2-7FCE-609D-0E56-00000000BA01}35286180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.497{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC56C34BA9F712D3AA20CA36C535F0E7,SHA256=C17933BD21D5F20ED5FD6C652B257511E6DC001AF74E3B7230BF490C7E387396,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:47.341{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51186-false10.0.1.12-8000- 10341000x8000000000000000671503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.431{7B03F3B2-7FD0-609D-1056-00000000BA01}9886704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FD0-609D-1056-00000000BA01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-7FD0-609D-1056-00000000BA01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.263{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FD0-609D-1056-00000000BA01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.264{7B03F3B2-7FD0-609D-1056-00000000BA01}988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:48.232{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6817F084DAD10B7622FCC4F8B891C08,SHA256=C4FBC1AD616FEC24C696C9DA5F657AF55FC70FB411175B9BEBCB8ACF606449D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:48.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=507CD46995EFE9AE87F29A96943175A9,SHA256=28A1B9665BB06EFAF183E3CE709CB3538286C05D71D5E1855F0C7CDDB124A0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:49.476{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E4A5B450BC41A15CC29345808FF3BF,SHA256=D5759155EEA23BF535DEA55DA26D2AEC52793A40267BC1D72C24E4A94616E187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:49.246{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022F8FC4EFB3F8563B2641CD5E018CE2,SHA256=6F0EBF7E9202C100F0500986B0D6B0706FAF6BC02349F09031D7E8FDB40AE618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:50.492{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AF3DA47AA0FF01A0E1C05DF7B9FEDB,SHA256=F7AD9757D933A04F191ED6304553AB8C53733155E0B32B6DB96E06D91EFF16A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:50.261{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24D8CFC0C4BBBB1C74281CB39C43A7E,SHA256=19F101DE1ED4B8E524D2E8AE41F1DDB2D6BDFD320D478E8C28E9B58B64123273,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:49.889{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52787-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:51.538{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9B6C001B2CA2F79127AFC2E3302B4D,SHA256=E09132CEDD9DBFBCD3B64E1BB0D90067DE87835BB06B0BD36F58EE46B5B8C31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.904{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FD3-609D-1256-00000000BA01}7532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.902{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.901{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.901{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.901{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.901{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FD3-609D-1256-00000000BA01}7532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.900{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FD3-609D-1256-00000000BA01}7532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.747{7B03F3B2-7FD3-609D-1256-00000000BA01}7532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000671530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.877{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19DC0AA6CBDEA81CF34596A19823EB21,SHA256=16A600437CC8813C663AF08EEFFB3165C761327FCCC22B6C5C9EDE57BF230648,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\BinProductVersion88.0.1.0 13241300x8000000000000000671528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LinkDate05/04/2021 16:36:51 13241300x8000000000000000671527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\Publishermozilla corporation 13241300x8000000000000000671526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LowerCaseLongPathc:\program files\mozilla firefox\firefox.exe 13241300x8000000000000000671525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\BinProductVersion88.0.1.7794 13241300x8000000000000000671524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LinkDate05/04/2021 16:38:09 13241300x8000000000000000671523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\Publishermozilla foundation 13241300x8000000000000000671522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LowerCaseLongPathc:\program files\mozilla firefox\default-browser-agent.exe 13241300x8000000000000000671521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\BinProductVersion88.0.1.7794 13241300x8000000000000000671520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LinkDate05/04/2021 16:37:29 13241300x8000000000000000671519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\Publishermozilla foundation 13241300x8000000000000000671518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:51.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LowerCaseLongPathc:\program files\mozilla firefox\crashreporter.exe 10341000x8000000000000000671517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.276{7B03F3B2-7FD2-609D-1156-00000000BA01}73324588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.275{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9698E8321BEDECF7012249DDE6FC4D53,SHA256=8C8F72BAA41D4F4CB87E63B793CA950935C893B312443B097F362B3E01E036BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:51.304{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2199A56A502A14BD0E24EEB1C738E1B2,SHA256=0A5136020848DE8214B50609CA04CC46F2FDFD463F6C48A2F24DF0C623B927CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:51.304{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CB4172C3DE47D063A103AB61E97AF73,SHA256=2533AC08447C36F94A4381E3DD46553416A9DA2312FD16EB1205E785E29FD585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.031{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-7FD2-609D-1156-00000000BA01}7332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.026{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.025{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.024{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.024{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FD2-609D-1156-00000000BA01}7332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000671510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.024{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:51.023{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-7FD2-609D-1156-00000000BA01}7332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000671508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:50.877{7B03F3B2-7FD2-609D-1156-00000000BA01}7332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:52.554{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA9C9CD0A6B485CAF836D68637C5369,SHA256=2621F99510E19979B2C84F2EB425C2D27B142D9C3211532F0F79A8EA025D13A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:52.346{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634FEF018B6BA0AEF556BD0193EF7C10,SHA256=B4A2D7CE24D9AA3FAEBAC4A1DEDE5C96A87624EDDD7B2E154D38EE0D260DD588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:53.601{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7F994348DAD140E007D89771B4B81A2,SHA256=9EB8B4702B80C1F393BC883016BE75695DCDD8EC19C0FCEB72FEEEF2D256B9D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:52.391{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51187-false10.0.1.12-8000- 23542300x8000000000000000671542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:53.561{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=379EC2CE3A47AB6A50AF0CDCE73F2ADB,SHA256=8E21787E1D910FF4AA35BB694565675B2498F6621F4721F513315A4C7D14E352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:53.408{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98F66BA3F5FEB65B5149C7DAC9FEE389,SHA256=55FBF2344DA0954F68682CFDDD759382B32A42C161B6691930CD86ADB102400B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:53.161{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDD8C992E314BE5087FA148E47DC18A1,SHA256=DA0B956137CFE75DB65DE83FB168D9A96FBF3D24282D28957063192F9D4D293C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:54.632{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EBBD6C5B8D5D958F13F00101DCA072A,SHA256=FD6212ACB9DB403164DFF243E73F5738423759C3AFEA052FF54D94D84A18E084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:54.427{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D82BEBB24A866DD05FBE6B29B75EFD,SHA256=EF41462269EEA9DA7D5E6EAE7AE25D4600ECE3387565B674BF984875E1DC932E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:55.444{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92E3A9BEDD2B30671B7B6E3C5BFAD1D,SHA256=002684571B8484551CC885B95D4FCB3ACFE176A699A357A2B4C155F5C361DB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:55.648{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2F6851FE9AC36ACEA9E8E9B5A2D6F1,SHA256=0C7D8BC929D613CBDC5748A259FFA396C84614BEDD90D80B7AE2CEEE819E3DB4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:56.474{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\BinProductVersion1.0.0.0 13241300x8000000000000000671549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:56.474{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LinkDate12/11/2016 21:50:55 13241300x8000000000000000671548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:56.474{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\Publishermozilla corporation 13241300x8000000000000000671547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:56.474{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LowerCaseLongPathc:\program files\mozilla firefox\uninstall\helper.exe 23542300x8000000000000000671546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:56.458{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2046A6BBB11D85384E0AB659095415E0,SHA256=760282CD3073AE8328A3285F3D5CC3D4D14E2B56B0C3FCFF9485847276469CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:56.648{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF46C06A5515D149B78FEBEBCEE5C59,SHA256=60B8BE076EAB1303B505A252C0B598019E28AA5147728AEADF3E4E509E15A8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:57.664{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F250B12D6C69A467041DA9C36974FC49,SHA256=5D062C72023BFBD1958F1F3D5AA24B982926D90EB5EBD00CC428A8F98C628FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:57.489{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4F1E6436231A31DED5732A7928A68F,SHA256=7A713A2EC41F3A1CB69F94291819A14D41B904742AAA1AD67B7B914087AA5306,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:36:57.489{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7482f-0x560a3ac1) 23542300x8000000000000000572669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:57.039{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C3B14A8A700FEC9B65E2826D25D1AD6,SHA256=E9D5298E884E0F65AC62DE96D7C90AF54F6ECD5F30AF084C16A93A98F018F63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:57.039{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2199A56A502A14BD0E24EEB1C738E1B2,SHA256=0A5136020848DE8214B50609CA04CC46F2FDFD463F6C48A2F24DF0C623B927CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:58.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80E03753A0F94952F7A878B60D0B49C,SHA256=A0BA0E3BCAD41B895B65AD40EE0A5E7931C301100CEFBA38D5C5614C6258DBA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000671655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:57.665{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-18.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x8000000000000000671654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:57.450{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51188-false10.0.1.12-8000- 23542300x8000000000000000671653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:58.632{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A99EF208203CE20AED5D7B6DE7E596C4,SHA256=24D3C1DE19F891112ABC2599E05354C3B4D5D6037E417337294ADA4999BA1479,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LinkDate02/07/2020 15:18:57 13241300x8000000000000000671650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\Publishersplunk inc. 13241300x8000000000000000671649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winevtlog.exe 13241300x8000000000000000671648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LinkDate02/07/2020 15:19:10 13241300x8000000000000000671646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\Publishersplunk inc. 13241300x8000000000000000671645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.537{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-regmon.exe 354300x8000000000000000572671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:55.654{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52788-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x8000000000000000671644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.486{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\BinProductVersion(Empty) 13241300x8000000000000000671643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.486{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LinkDate02/07/2020 15:18:45 13241300x8000000000000000671642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.482{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\Publisher(Empty) 13241300x8000000000000000671641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.482{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-powershell.exe 13241300x8000000000000000671640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.360{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.360{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LinkDate02/07/2020 15:18:45 13241300x8000000000000000671638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.360{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\Publishersplunk inc. 13241300x8000000000000000671637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.360{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-perfmon.exe 13241300x8000000000000000671636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LinkDate02/07/2020 15:18:57 13241300x8000000000000000671634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\Publishersplunk inc. 13241300x8000000000000000671633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-netmon.exe 13241300x8000000000000000671632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\BinProductVersion10.0.10011.16384 13241300x8000000000000000671631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LinkDate02/07/2020 15:18:52 13241300x8000000000000000671630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000671629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-monitornohandle.exe 23542300x8000000000000000671628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:58.228{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0828DBE286C6A65C40A8DCCC782651A4,SHA256=15585C0DA3644CB73C65D0E83DCBD67E31C703F2FC3CA86A276950F07D38E377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:58.227{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF862827F386546527FDF889B82699B,SHA256=E454D381579516AF7377019C7CA54F3CAB4010BCD90D7AAF9405B44F4FCC1716,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LinkDate02/07/2020 15:13:21 13241300x8000000000000000671624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\Publishersplunk inc. 13241300x8000000000000000671623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-compresstool.exe 13241300x8000000000000000671622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LinkDate02/07/2020 15:19:19 13241300x8000000000000000671620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\Publishersplunk inc. 13241300x8000000000000000671619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-admon.exe 13241300x8000000000000000671618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\BinProductVersion10.0.10011.16384 13241300x8000000000000000671617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LinkDate09/27/2019 18:25:44 13241300x8000000000000000671616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000671615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splknetdrv.sys 13241300x8000000000000000671614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\BinProductVersion(Empty) 13241300x8000000000000000671613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LinkDate01/10/2020 00:48:57 13241300x8000000000000000671612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\Publisher(Empty) 13241300x8000000000000000671611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\openssl.exe 13241300x8000000000000000671610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LinkDate02/07/2020 15:13:14 13241300x8000000000000000671608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\Publishersplunk inc. 13241300x8000000000000000671607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\classify.exe 13241300x8000000000000000671606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LinkDate02/07/2020 15:12:56 13241300x8000000000000000671604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\Publishersplunk inc. 13241300x8000000000000000671603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.127{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btprobe.exe 13241300x8000000000000000671602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.121{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.121{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LinkDate02/07/2020 15:12:56 13241300x8000000000000000671600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.121{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\Publishersplunk inc. 13241300x8000000000000000671599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.121{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btool.exe 13241300x8000000000000000671598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\000062e2a9e9b14ba03c6c34d99bd37d04a50000ffff\PublisherIgor Pavlov 13241300x8000000000000000671597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\BinProductVersion19.0.0.0 13241300x8000000000000000671596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LinkDate02/21/2019 17:00:00 13241300x8000000000000000671595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\Publisherigor pavlov 13241300x8000000000000000671594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LowerCaseLongPathc:\program files\7-zip\uninstall.exe 13241300x8000000000000000671593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\BinProductVersion19.0.0.0 13241300x8000000000000000671592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LinkDate02/21/2019 16:00:00 13241300x8000000000000000671591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\Publisherigor pavlov 13241300x8000000000000000671590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LowerCaseLongPathc:\program files\7-zip\7zg.exe 13241300x8000000000000000671589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.094{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\BinProductVersion19.0.0.0 13241300x8000000000000000671588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.094{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LinkDate02/21/2019 16:00:00 13241300x8000000000000000671587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.094{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\Publisherigor pavlov 13241300x8000000000000000671586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.094{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LowerCaseLongPathc:\program files\7-zip\7zfm.exe 13241300x8000000000000000671585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.078{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\BinProductVersion19.0.0.0 13241300x8000000000000000671584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.078{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LinkDate02/21/2019 16:00:00 13241300x8000000000000000671583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.078{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\Publisherigor pavlov 13241300x8000000000000000671582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.078{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LowerCaseLongPathc:\program files\7-zip\7z.exe 13241300x8000000000000000671581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.057{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\00002dbd602367c17150fd634e06518bb2b80000ffff\PublisherMozilla 13241300x8000000000000000671580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.057{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\BinProductVersion88.0.1.7794 13241300x8000000000000000671579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LinkDate05/04/2021 16:36:40 13241300x8000000000000000671578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\Publishermozilla foundation 13241300x8000000000000000671577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LowerCaseLongPathc:\program files\mozilla firefox\updater.exe 13241300x8000000000000000671576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-hang-ui.e|29c2c5a171ba01f1\BinProductVersion88.0.1.0 13241300x8000000000000000671575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-hang-ui.e|29c2c5a171ba01f1\LinkDate05/04/2021 16:36:23 13241300x8000000000000000671574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-hang-ui.e|29c2c5a171ba01f1\Publishermozilla corporation 13241300x8000000000000000671573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-hang-ui.e|29c2c5a171ba01f1\LowerCaseLongPathc:\program files\mozilla firefox\plugin-hang-ui.exe 13241300x8000000000000000671572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\BinProductVersion88.0.1.0 13241300x8000000000000000671571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LinkDate05/04/2021 16:46:44 13241300x8000000000000000671570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\Publishermozilla corporation 13241300x8000000000000000671569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LowerCaseLongPathc:\program files\mozilla firefox\plugin-container.exe 13241300x8000000000000000671568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\BinProductVersion88.0.1.7794 13241300x8000000000000000671567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LinkDate05/04/2021 16:36:36 13241300x8000000000000000671566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\Publishermozilla foundation 13241300x8000000000000000671565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LowerCaseLongPathc:\program files\mozilla firefox\pingsender.exe 13241300x8000000000000000671564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\BinProductVersion88.0.1.7794 13241300x8000000000000000671563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LinkDate05/04/2021 16:36:37 13241300x8000000000000000671562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\Publishermozilla foundation 13241300x8000000000000000671561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LowerCaseLongPathc:\program files\mozilla firefox\minidump-analyzer.exe 13241300x8000000000000000671560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\BinProductVersion1.0.0.0 13241300x8000000000000000671559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LinkDate12/11/2016 21:50:55 13241300x8000000000000000671558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\Publishermozilla corporation 13241300x8000000000000000671557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.026{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice_installer.exe 13241300x8000000000000000671556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:36:58.023{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\BinProductVersion88.0.1.7794 13241300x8000000000000000671555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:36:58.023{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LinkDate05/04/2021 16:36:54 13241300x8000000000000000671554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:36:58.023{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\Publishermozilla foundation 13241300x8000000000000000671553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:36:58.023{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice.exe 23542300x8000000000000000572673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:36:59.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402B18657BA4549E77F7692BA54B6A97,SHA256=12C9BBB6FF70538B4D0A5279C01C0EA221BE18CF9DC2C506316787E673942726,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000671687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.939{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.938{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.937{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000671657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.937{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000671656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:36:59.560{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0A10045BCA1B6A53E542EE626A9AB2,SHA256=37D76DEC34141621B8A9D9E35F2BE026F734031A601020B0019255EB1089F4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:00.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0828DBE286C6A65C40A8DCCC782651A4,SHA256=15585C0DA3644CB73C65D0E83DCBD67E31C703F2FC3CA86A276950F07D38E377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:00.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA4D8C8C9D02BC1F503F96D1E6B5D14,SHA256=D3A0B8AFF395F87C85B01749C168552A2D5B35364A3D5006B3CA48F6090C5FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:00.695{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57DE3DB7854EFDF8F0FF6FE39919DAC,SHA256=CD6428DB38C89ADFAA7F9CC5930E3DA80CD936FC5E52B8A8779D57DA11617EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:01.710{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88E4B1F41DF015FE08605DD4F5F7876,SHA256=49BF1A188B96F1FA4D2B57A925AD0825D8C086F31EC66303A1376AC73C24BE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000671698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:01.924{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49970116531D08E5E8440A6AAE03886F,SHA256=F7D289AF8076BAB71F9E72CAB4CBD9E475AAC9F14928CD90BD41A5EC8CEAEA41,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:01.887{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:01.887{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LinkDate02/07/2020 15:19:24 13241300x8000000000000000671695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:01.887{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\Publishersplunk inc. 13241300x8000000000000000671694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:01.887{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winprintmon.exe 13241300x8000000000000000671693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:01.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:01.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LinkDate02/07/2020 15:19:16 13241300x8000000000000000671691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:01.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\Publishersplunk inc. 13241300x8000000000000000671690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:01.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winhostinfo.exe 23542300x8000000000000000572678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:02.726{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694A6FCBCBD0CA1557278ED880C914C7,SHA256=F01599E74022BAED4C5B93F5200716E61E6BB11CADAA7AFC10BD948623AA2978,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\BinProductVersion(Empty) 13241300x8000000000000000672054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\Publisher(Empty) 13241300x8000000000000000672052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.849{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LowerCaseLongPathc:\program files\git\usr\bin\factor.exe 13241300x8000000000000000672051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.841{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\BinProductVersion(Empty) 13241300x8000000000000000672050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.841{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.841{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\Publisher(Empty) 13241300x8000000000000000672048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.841{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LowerCaseLongPathc:\program files\git\usr\bin\expr.exe 13241300x8000000000000000672047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.833{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\BinProductVersion(Empty) 13241300x8000000000000000672046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.833{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.833{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\Publisher(Empty) 13241300x8000000000000000672044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.833{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LowerCaseLongPathc:\program files\git\usr\bin\expand.exe 13241300x8000000000000000672043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\BinProductVersion(Empty) 13241300x8000000000000000672042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\Publisher(Empty) 13241300x8000000000000000672040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LowerCaseLongPathc:\program files\git\usr\bin\ex.exe 13241300x8000000000000000672039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\BinProductVersion0.19.8.0 13241300x8000000000000000672038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\Publisherfree software foundation 13241300x8000000000000000672036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LowerCaseLongPathc:\program files\git\mingw64\bin\envsubst.exe 23542300x8000000000000000672035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:02.783{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40191A0D050F89DB0BEE9070400C28BC,SHA256=FFABD5E3EF5DFA803464CC78DE317D84757F04D57C8994BE9F6FFF9C26A6402D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.780{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\BinProductVersion0.19.8.0 13241300x8000000000000000672033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.780{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LinkDate12/01/2031 01:05:42 13241300x8000000000000000672032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.780{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\Publisherfree software foundation 13241300x8000000000000000672031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.780{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LowerCaseLongPathc:\program files\git\usr\bin\envsubst.exe 13241300x8000000000000000672030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.775{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\BinProductVersion(Empty) 13241300x8000000000000000672029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.775{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.775{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\Publisher(Empty) 13241300x8000000000000000672027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.775{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LowerCaseLongPathc:\program files\git\usr\bin\env.exe 13241300x8000000000000000672026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.772{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\BinProductVersion(Empty) 13241300x8000000000000000672025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.772{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.772{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\Publisher(Empty) 13241300x8000000000000000672023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.772{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test_dll.exe 13241300x8000000000000000672022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.770{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\BinProductVersion(Empty) 13241300x8000000000000000672021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.770{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.770{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\Publisher(Empty) 13241300x8000000000000000672019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.770{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test.exe 13241300x8000000000000000672018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.768{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\BinProductVersion(Empty) 13241300x8000000000000000672017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.768{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LinkDate03/27/2021 09:48:39 13241300x8000000000000000672016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.767{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\Publisher(Empty) 13241300x8000000000000000672015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.767{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LowerCaseLongPathc:\program files\git\mingw64\share\git\edit-git-bash.exe 13241300x8000000000000000672014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\echo.exe|263446599120623a\BinProductVersion(Empty) 13241300x8000000000000000672013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\echo.exe|263446599120623a\Publisher(Empty) 13241300x8000000000000000672011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LowerCaseLongPathc:\program files\git\usr\bin\echo.exe 13241300x8000000000000000672010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.752{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\BinProductVersion(Empty) 13241300x8000000000000000672009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.752{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.750{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\Publisher(Empty) 13241300x8000000000000000672007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.750{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LowerCaseLongPathc:\program files\git\usr\bin\dumpsexp.exe 13241300x8000000000000000672006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\BinProductVersion(Empty) 13241300x8000000000000000672005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\Publisher(Empty) 13241300x8000000000000000672003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LowerCaseLongPathc:\program files\git\usr\bin\du.exe 13241300x8000000000000000672002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\BinProductVersion(Empty) 13241300x8000000000000000672001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\Publisher(Empty) 13241300x8000000000000000671999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LowerCaseLongPathc:\program files\git\usr\bin\dos2unix.exe 13241300x8000000000000000671998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\BinProductVersion(Empty) 13241300x8000000000000000671997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\Publisher(Empty) 13241300x8000000000000000671995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LowerCaseLongPathc:\program files\git\usr\bin\dirname.exe 13241300x8000000000000000671994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\BinProductVersion(Empty) 13241300x8000000000000000671993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\Publisher(Empty) 13241300x8000000000000000671991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.731{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr.exe 13241300x8000000000000000671990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.723{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\BinProductVersion(Empty) 13241300x8000000000000000671989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.723{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.723{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\Publisher(Empty) 13241300x8000000000000000671987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.723{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr-client.exe 13241300x8000000000000000671986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\BinProductVersion(Empty) 13241300x8000000000000000671985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\Publisher(Empty) 13241300x8000000000000000671983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LowerCaseLongPathc:\program files\git\usr\bin\dircolors.exe 13241300x8000000000000000671982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\BinProductVersion(Empty) 13241300x8000000000000000671981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\Publisher(Empty) 13241300x8000000000000000671979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LowerCaseLongPathc:\program files\git\usr\bin\dir.exe 13241300x8000000000000000671978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.712{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\BinProductVersion(Empty) 13241300x8000000000000000671977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.711{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.711{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\Publisher(Empty) 13241300x8000000000000000671975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.711{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LowerCaseLongPathc:\program files\git\usr\bin\diff3.exe 13241300x8000000000000000671974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.709{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\BinProductVersion(Empty) 13241300x8000000000000000671973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.709{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.708{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\Publisher(Empty) 13241300x8000000000000000671971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.708{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LowerCaseLongPathc:\program files\git\usr\bin\diff.exe 13241300x8000000000000000671970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\BinProductVersion(Empty) 13241300x8000000000000000671969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\Publisher(Empty) 13241300x8000000000000000671967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LowerCaseLongPathc:\program files\git\usr\bin\df.exe 13241300x8000000000000000671966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\BinProductVersion(Empty) 13241300x8000000000000000671965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\Publisher(Empty) 13241300x8000000000000000671963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LowerCaseLongPathc:\program files\git\usr\bin\dd.exe 13241300x8000000000000000671962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\BinProductVersion(Empty) 13241300x8000000000000000671961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\Publisher(Empty) 13241300x8000000000000000671959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LowerCaseLongPathc:\program files\git\usr\bin\date.exe 13241300x8000000000000000671958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\BinProductVersion(Empty) 13241300x8000000000000000671957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\Publisher(Empty) 13241300x8000000000000000671955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LowerCaseLongPathc:\program files\git\usr\bin\dash.exe 13241300x8000000000000000671954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\BinProductVersion(Empty) 13241300x8000000000000000671953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\Publisher(Empty) 13241300x8000000000000000671951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LowerCaseLongPathc:\program files\git\usr\bin\d2u.exe 13241300x8000000000000000671950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\BinProductVersion(Empty) 13241300x8000000000000000671949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LinkDate03/26/2021 22:24:41 13241300x8000000000000000671948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\Publisher(Empty) 13241300x8000000000000000671947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.678{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LowerCaseLongPathc:\program files\git\usr\bin\cygwin-console-helper.exe 13241300x8000000000000000671946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.662{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\BinProductVersion(Empty) 13241300x8000000000000000671945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.662{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.662{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\Publisher(Empty) 13241300x8000000000000000671943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.662{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LowerCaseLongPathc:\program files\git\usr\bin\cygpath.exe 13241300x8000000000000000671942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.647{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\BinProductVersion(Empty) 13241300x8000000000000000671941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.647{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LinkDate03/26/2021 22:24:41 13241300x8000000000000000671940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.647{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\Publisher(Empty) 13241300x8000000000000000671939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.647{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LowerCaseLongPathc:\program files\git\usr\bin\cygcheck.exe 13241300x8000000000000000671938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\BinProductVersion(Empty) 13241300x8000000000000000671937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\Publisher(Empty) 13241300x8000000000000000671935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LowerCaseLongPathc:\program files\git\usr\bin\cut.exe 13241300x8000000000000000671934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\BinProductVersion(Empty) 13241300x8000000000000000671933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LinkDate02/04/2021 08:40:35 13241300x8000000000000000671932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\Publisher(Empty) 13241300x8000000000000000671931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.631{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LowerCaseLongPathc:\program files\git\mingw64\bin\curl.exe 13241300x8000000000000000671930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.620{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\BinProductVersion(Empty) 13241300x8000000000000000671929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.620{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.620{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\Publisher(Empty) 13241300x8000000000000000671927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.620{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LowerCaseLongPathc:\program files\git\usr\bin\csplit.exe 13241300x8000000000000000671926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\BinProductVersion(Empty) 13241300x8000000000000000671925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\Publisher(Empty) 13241300x8000000000000000671923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LowerCaseLongPathc:\program files\git\mingw64\bin\create-shortcut.exe 13241300x8000000000000000671922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\BinProductVersion(Empty) 13241300x8000000000000000671921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\Publisher(Empty) 13241300x8000000000000000671919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LowerCaseLongPathc:\program files\git\usr\bin\cp.exe 13241300x8000000000000000671918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\BinProductVersion(Empty) 13241300x8000000000000000671917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\Publisher(Empty) 13241300x8000000000000000671915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LowerCaseLongPathc:\program files\git\mingw64\bin\connect.exe 13241300x8000000000000000671914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\BinProductVersion2.31.1.1 13241300x8000000000000000671913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\Publisherthe git development community 13241300x8000000000000000671911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.599{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LowerCaseLongPathc:\program files\git\mingw64\share\git\compat-bash.exe 13241300x8000000000000000671910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.596{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\BinProductVersion(Empty) 13241300x8000000000000000671909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.596{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.596{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\Publisher(Empty) 13241300x8000000000000000671907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.596{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LowerCaseLongPathc:\program files\git\usr\bin\comm.exe 13241300x8000000000000000671906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.596{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\BinProductVersion(Empty) 13241300x8000000000000000671905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.596{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.595{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\Publisher(Empty) 13241300x8000000000000000671903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.595{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LowerCaseLongPathc:\program files\git\usr\bin\column.exe 13241300x8000000000000000671902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\BinProductVersion(Empty) 13241300x8000000000000000671901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\Publisher(Empty) 13241300x8000000000000000671899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LowerCaseLongPathc:\program files\git\usr\bin\cmp.exe 13241300x8000000000000000671898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\BinProductVersion(Empty) 13241300x8000000000000000671897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\Publisher(Empty) 13241300x8000000000000000671895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LowerCaseLongPathc:\program files\git\usr\bin\clear.exe 13241300x8000000000000000671894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\BinProductVersion(Empty) 13241300x8000000000000000671893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LinkDate10/26/1974 18:18:40 13241300x8000000000000000671892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\Publisher(Empty) 13241300x8000000000000000671891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LowerCaseLongPathc:\program files\git\usr\lib\gettext\cldr-plurals.exe 13241300x8000000000000000671890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\BinProductVersion(Empty) 13241300x8000000000000000671889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\Publisher(Empty) 13241300x8000000000000000671887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LowerCaseLongPathc:\program files\git\usr\bin\cksum.exe 13241300x8000000000000000671886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\BinProductVersion(Empty) 13241300x8000000000000000671885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\Publisher(Empty) 13241300x8000000000000000671883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LowerCaseLongPathc:\program files\git\usr\bin\chroot.exe 13241300x8000000000000000671882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\BinProductVersion(Empty) 13241300x8000000000000000671881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\Publisher(Empty) 13241300x8000000000000000671879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LowerCaseLongPathc:\program files\git\usr\bin\chown.exe 13241300x8000000000000000671878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\BinProductVersion(Empty) 13241300x8000000000000000671877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\Publisher(Empty) 13241300x8000000000000000671875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LowerCaseLongPathc:\program files\git\usr\bin\chmod.exe 13241300x8000000000000000671874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\BinProductVersion(Empty) 13241300x8000000000000000671873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\Publisher(Empty) 13241300x8000000000000000671871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.576{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LowerCaseLongPathc:\program files\git\usr\bin\chgrp.exe 13241300x8000000000000000671870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\BinProductVersion(Empty) 13241300x8000000000000000671869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\Publisher(Empty) 13241300x8000000000000000671867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LowerCaseLongPathc:\program files\git\usr\bin\chcon.exe 13241300x8000000000000000671866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\BinProductVersion(Empty) 13241300x8000000000000000671865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LinkDate03/26/2021 22:24:39 13241300x8000000000000000671864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\Publisher(Empty) 13241300x8000000000000000671863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.564{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LowerCaseLongPathc:\program files\git\usr\bin\chattr.exe 13241300x8000000000000000671862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\BinProductVersion(Empty) 13241300x8000000000000000671861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\Publisher(Empty) 13241300x8000000000000000671859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LowerCaseLongPathc:\program files\git\usr\bin\cat.exe 13241300x8000000000000000671858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\BinProductVersion(Empty) 13241300x8000000000000000671857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\Publisher(Empty) 13241300x8000000000000000671855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.552{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LowerCaseLongPathc:\program files\git\usr\bin\captoinfo.exe 13241300x8000000000000000671854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\BinProductVersion(Empty) 13241300x8000000000000000671853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\Publisher(Empty) 13241300x8000000000000000671851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2recover.exe 13241300x8000000000000000671850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\BinProductVersion(Empty) 13241300x8000000000000000671849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\Publisher(Empty) 13241300x8000000000000000671847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LowerCaseLongPathc:\program files\git\usr\bin\bzip2recover.exe 13241300x8000000000000000671846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\BinProductVersion(Empty) 13241300x8000000000000000671845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\Publisher(Empty) 13241300x8000000000000000671843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2.exe 13241300x8000000000000000671842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\BinProductVersion(Empty) 13241300x8000000000000000671841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\Publisher(Empty) 13241300x8000000000000000671839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LowerCaseLongPathc:\program files\git\usr\bin\bzip2.exe 13241300x8000000000000000671838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\BinProductVersion(Empty) 13241300x8000000000000000671837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\Publisher(Empty) 13241300x8000000000000000671835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.529{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LowerCaseLongPathc:\program files\git\usr\bin\bzcat.exe 13241300x8000000000000000671834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\BinProductVersion(Empty) 13241300x8000000000000000671833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\Publisher(Empty) 13241300x8000000000000000671831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LowerCaseLongPathc:\program files\git\mingw64\bin\bzcat.exe 13241300x8000000000000000671830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\BinProductVersion(Empty) 13241300x8000000000000000671829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\Publisher(Empty) 13241300x8000000000000000671827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.514{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LowerCaseLongPathc:\program files\git\mingw64\bin\bunzip2.exe 13241300x8000000000000000671826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\BinProductVersion(Empty) 13241300x8000000000000000671825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\Publisher(Empty) 13241300x8000000000000000671823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LowerCaseLongPathc:\program files\git\usr\bin\bunzip2.exe 13241300x8000000000000000671822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\BinProductVersion(Empty) 13241300x8000000000000000671821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\Publisher(Empty) 13241300x8000000000000000671819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.498{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LowerCaseLongPathc:\program files\git\mingw64\bin\brotli.exe 13241300x8000000000000000671818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\BinProductVersion(Empty) 13241300x8000000000000000671817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\Publisher(Empty) 13241300x8000000000000000671815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LowerCaseLongPathc:\program files\git\mingw64\bin\blocked-file-util.exe 13241300x8000000000000000671814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\BinProductVersion2.31.1.1 13241300x8000000000000000671813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LinkDate03/27/2021 09:48:40 13241300x8000000000000000671812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\Publisherthe git development community 13241300x8000000000000000671811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LowerCaseLongPathc:\program files\git\bin\bash.exe 13241300x8000000000000000671810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\BinProductVersion(Empty) 13241300x8000000000000000671809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LinkDate12/04/2018 10:21:15 13241300x8000000000000000671808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\Publisher(Empty) 13241300x8000000000000000671807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LowerCaseLongPathc:\program files\git\usr\bin\bash.exe 13241300x8000000000000000671806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\BinProductVersion(Empty) 23542300x8000000000000000572677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:02.289{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA7ACB26D74974DEC0D48F73D7BB024,SHA256=EBCAD8A31248ED81CCD4D6918C255CC5B1EDAB3E76A152CDEAABB164268334D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:02.289{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C3B14A8A700FEC9B65E2826D25D1AD6,SHA256=E9D5298E884E0F65AC62DE96D7C90AF54F6ECD5F30AF084C16A93A98F018F63A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\Publisher(Empty) 13241300x8000000000000000671803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LowerCaseLongPathc:\program files\git\usr\bin\basenc.exe 13241300x8000000000000000671802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\BinProductVersion(Empty) 13241300x8000000000000000671801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\Publisher(Empty) 13241300x8000000000000000671799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LowerCaseLongPathc:\program files\git\usr\bin\basename.exe 13241300x8000000000000000671798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\BinProductVersion(Empty) 13241300x8000000000000000671797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\Publisher(Empty) 13241300x8000000000000000671795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LowerCaseLongPathc:\program files\git\usr\bin\base64.exe 13241300x8000000000000000671794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\BinProductVersion(Empty) 13241300x8000000000000000671793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\Publisher(Empty) 13241300x8000000000000000671791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.445{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LowerCaseLongPathc:\program files\git\usr\bin\base32.exe 13241300x8000000000000000671790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\BinProductVersion(Empty) 13241300x8000000000000000671789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\Publisher(Empty) 13241300x8000000000000000671787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LowerCaseLongPathc:\program files\git\usr\bin\b2sum.exe 13241300x8000000000000000671786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\BinProductVersion(Empty) 13241300x8000000000000000671785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\Publisher(Empty) 13241300x8000000000000000671783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LowerCaseLongPathc:\program files\git\usr\bin\awk.exe 13241300x8000000000000000671782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\BinProductVersion2.0.394.0 13241300x8000000000000000671781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LinkDate04/29/2104 14:55:02 13241300x8000000000000000671780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\Publisheratlassian.bitbucket.ui 13241300x8000000000000000671779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\atlassian.bitbucket.ui.exe 13241300x8000000000000000671778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\BinProductVersion(Empty) 13241300x8000000000000000671777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\Publisher(Empty) 13241300x8000000000000000671775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LowerCaseLongPathc:\program files\git\usr\bin\arch.exe 13241300x8000000000000000671774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\BinProductVersion(Empty) 13241300x8000000000000000671773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\Publisher(Empty) 13241300x8000000000000000671771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.413{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LowerCaseLongPathc:\program files\git\mingw64\bin\antiword.exe 13241300x8000000000000000671770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\BinProductVersion(Empty) 13241300x8000000000000000671769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\Publisher(Empty) 13241300x8000000000000000671767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LowerCaseLongPathc:\program files\git\mingw64\bin\ahost.exe 13241300x8000000000000000671766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\BinProductVersion(Empty) 13241300x8000000000000000671765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\Publisher(Empty) 13241300x8000000000000000671763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LowerCaseLongPathc:\program files\git\mingw64\bin\adig.exe 13241300x8000000000000000671762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\BinProductVersion(Empty) 13241300x8000000000000000671761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\Publisher(Empty) 13241300x8000000000000000671759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.398{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LowerCaseLongPathc:\program files\git\mingw64\bin\acountry.exe 13241300x8000000000000000671758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.393{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000c1df386b1b2c5d48d4b44564d46655ae0000ffff\PublisherMozilla 13241300x8000000000000000671757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.392{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\BinProductVersion1.0.0.0 13241300x8000000000000000671756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.392{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LinkDate12/11/2016 21:50:55 13241300x8000000000000000671755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.392{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\Publishermozilla corporation 13241300x8000000000000000671754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.392{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\uninstall.exe 13241300x8000000000000000671753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.390{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\BinProductVersion88.0.1.7794 13241300x8000000000000000671752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.390{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LinkDate05/04/2021 16:36:54 13241300x8000000000000000671751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.390{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\Publishermozilla foundation 13241300x8000000000000000671750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.389{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 23542300x8000000000000000671749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:02.385{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7325A5356DA7441A63ACFC8DCCC9D5A,SHA256=39DD1B42A6C231FF6AB6E2310238DB1963B5B86CB0F1695DD9DA1EB974900CEE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000671748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.371{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000a9678529fb5fa8569685ef3e4543583f0000ffff\PublisherAmazon Web Services 13241300x8000000000000000671747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.370{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\BinProductVersion3.0.529.0 13241300x8000000000000000671746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.370{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\LinkDate05/01/2017 14:33:52 13241300x8000000000000000671745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.370{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\Publisheramazon web services 13241300x8000000000000000671744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.370{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\amazonssmagentse|9538aa2019cf27d0\LowerCaseLongPathc:\programdata\package cache\{674c5ef7-9d50-4540-a711-6b82e2469bd0}\amazonssmagentsetup.exe 13241300x8000000000000000671743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.358{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000a9678529fb5fa8569685ef3e4543583f00000904\PublisherAmazon Web Services 13241300x8000000000000000671742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.356{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\BinProductVersion(Empty) 13241300x8000000000000000671741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.356{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000671740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.356{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\Publisher(Empty) 13241300x8000000000000000671739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.356{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LowerCaseLongPathc:\program files\amazon\ssm\ssm-agent-worker.exe 13241300x8000000000000000671738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.179{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000a32b64966830ad0100b29547ca5511020000ffff\PublisherAmazon Web Services 13241300x8000000000000000671737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.163{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\BinProductVersion2.0.6.0 13241300x8000000000000000671736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.163{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\LinkDate09/17/2019 05:33:38 13241300x8000000000000000671735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.163{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\Publisheramazon web services 13241300x8000000000000000671734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.163{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\LowerCaseLongPathc:\programdata\package cache\{09259595-ce26-4705-b47e-59d9e3ccebb9}\aws-cfn-bootstrap-bundle.exe 13241300x8000000000000000671733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.147{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000a0119b997e1ff1f405659fca10378fff0000ffff\PublisherMicrosoft Corporation 13241300x8000000000000000671732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.147{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\BinProductVersion14.28.29913.0 13241300x8000000000000000671731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.147{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\LinkDate11/18/2017 21:37:28 13241300x8000000000000000671730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.147{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\Publishermicrosoft corporation 13241300x8000000000000000671729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.147{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\LowerCaseLongPathc:\programdata\package cache\{855e31d2-9031-46e1-b06d-c9d7777deefb}\vc_redist.x64.exe 13241300x8000000000000000671728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.125{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\000093234134b3a2576f4dc4445ca91cb81100000904\PublisherOpen Information Security Foundation 13241300x8000000000000000671727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.125{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.exe|5ae00036de77062f\BinProductVersion5.1.20.305 13241300x8000000000000000671726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.125{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.exe|5ae00036de77062f\LinkDate08/01/2020 03:02:30 13241300x8000000000000000671725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.125{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.exe|5ae00036de77062f\Publisher(Empty) 13241300x8000000000000000671724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.125{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.exe|5ae00036de77062f\LowerCaseLongPathc:\temp\npcap.exe 13241300x8000000000000000671723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\00006e465eb93b9ef9ed1111015f594f733000000904\PublisherSplunk, Inc. 13241300x8000000000000000671722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\BinProductVersion(Empty) 13241300x8000000000000000671721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LinkDate01/10/2020 01:30:07 13241300x8000000000000000671720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\Publisher(Empty) 13241300x8000000000000000671719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\srm.exe 13241300x8000000000000000671718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\BinProductVersion10.0.10011.16384 13241300x8000000000000000671717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LinkDate10/02/2019 17:37:14 13241300x8000000000000000671716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000671715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.111{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkmonitornohandledrv.sys 13241300x8000000000000000671714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\BinProductVersion10.0.10011.16384 13241300x8000000000000000671713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LinkDate10/02/2019 17:37:08 13241300x8000000000000000671712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\Publisherwindows (r) win 7 ddk provider 13241300x8000000000000000671711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkdrv.sys 13241300x8000000000000000671710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LinkDate02/07/2020 15:26:19 13241300x8000000000000000671708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\Publishersplunk inc. 13241300x8000000000000000671707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.079{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkd.exe 13241300x8000000000000000671706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LinkDate02/07/2020 15:13:21 13241300x8000000000000000671704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\Publishersplunk inc. 13241300x8000000000000000671703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk.exe 13241300x8000000000000000671702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\BinProductVersion2048.512.24125.32311 13241300x8000000000000000671701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LinkDate02/07/2020 15:24:43 13241300x8000000000000000671700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\Publishersplunk inc. 13241300x8000000000000000671699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:01.992{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-wmi.exe 23542300x8000000000000000572680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:03.726{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E90F94771750D5E19DCD64DE5E402C,SHA256=4B46E0E01CE06D1270DAECB1D540636C02BDCEE12FA1AE17F75ED8EB1FECD073,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.991{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\BinProductVersion2.31.1.1 13241300x8000000000000000672418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.991{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LinkDate03/27/2021 09:56:32 13241300x8000000000000000672417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.991{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\Publisherthe git development community 13241300x8000000000000000672416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.991{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-push.exe 13241300x8000000000000000672415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\BinProductVersion2.31.1.1 13241300x8000000000000000672414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LinkDate03/27/2021 09:56:30 13241300x8000000000000000672413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\Publisherthe git development community 13241300x8000000000000000672412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-fetch.exe 354300x8000000000000000672411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:02.471{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51189-false10.0.1.12-8000- 13241300x8000000000000000672410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.953{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\BinProductVersion2.31.1.1 13241300x8000000000000000672409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.953{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LinkDate03/27/2021 09:56:26 13241300x8000000000000000672408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.953{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\Publisherthe git development community 13241300x8000000000000000672407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.953{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-backend.exe 13241300x8000000000000000672406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.937{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\BinProductVersion2.31.1.1 13241300x8000000000000000672405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.937{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.936{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\Publisherthe git development community 13241300x8000000000000000672403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.936{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-help.exe 13241300x8000000000000000672402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.922{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\BinProductVersion2.31.1.1 13241300x8000000000000000672401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.922{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.921{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\Publisherthe git development community 13241300x8000000000000000672399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.921{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-hash-object.exe 13241300x8000000000000000672398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.911{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\BinProductVersion2.31.1.1 13241300x8000000000000000672397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.911{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LinkDate03/27/2021 09:48:41 13241300x8000000000000000672396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.911{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\Publisherthe git development community 13241300x8000000000000000672395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LowerCaseLongPathc:\program files\git\cmd\git-gui.exe 13241300x8000000000000000672394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.906{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\BinProductVersion2.31.1.1 13241300x8000000000000000672393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.906{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.906{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\Publisherthe git development community 13241300x8000000000000000672391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.906{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-grep.exe 13241300x8000000000000000672390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.892{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\BinProductVersion2.31.1.1 13241300x8000000000000000672389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.892{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.892{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\Publisherthe git development community 13241300x8000000000000000672387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.892{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-get-tar-commit-id.exe 13241300x8000000000000000672386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.881{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\BinProductVersion2.31.1.1 13241300x8000000000000000672385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.881{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.881{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\Publisherthe git development community 13241300x8000000000000000672383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.881{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-gc.exe 13241300x8000000000000000672382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.871{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\BinProductVersion2.31.1.1 13241300x8000000000000000672381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.871{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.871{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\Publisherthe git development community 13241300x8000000000000000672379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.871{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsmonitor--daemon.exe 13241300x8000000000000000672378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\BinProductVersion2.31.1.1 13241300x8000000000000000672377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\Publisherthe git development community 13241300x8000000000000000672375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck.exe 13241300x8000000000000000672374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\BinProductVersion2.31.1.1 13241300x8000000000000000672373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.849{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.849{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\Publisherthe git development community 13241300x8000000000000000672371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.849{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck-objects.exe 13241300x8000000000000000672370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.838{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\BinProductVersion2.31.1.1 13241300x8000000000000000672369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.838{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.838{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\Publisherthe git development community 13241300x8000000000000000672367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.838{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-format-patch.exe 13241300x8000000000000000672366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.827{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\BinProductVersion2.31.1.1 13241300x8000000000000000672365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.827{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.827{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\Publisherthe git development community 13241300x8000000000000000672363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.827{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-repo.exe 13241300x8000000000000000672362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.817{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\BinProductVersion2.31.1.1 13241300x8000000000000000672361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.817{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.816{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\Publisherthe git development community 13241300x8000000000000000672359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.816{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-ref.exe 13241300x8000000000000000672358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.806{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\BinProductVersion2.31.1.1 13241300x8000000000000000672357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.806{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.806{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\Publisherthe git development community 13241300x8000000000000000672355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.806{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fmt-merge-msg.exe 13241300x8000000000000000672354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.794{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\BinProductVersion2.31.1.1 13241300x8000000000000000672353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.794{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.794{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\Publisherthe git development community 13241300x8000000000000000672351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.794{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch.exe 13241300x8000000000000000672350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\BinProductVersion2.31.1.1 13241300x8000000000000000672349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\Publisherthe git development community 13241300x8000000000000000672347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch-pack.exe 13241300x8000000000000000672346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.773{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\BinProductVersion2.31.1.1 13241300x8000000000000000672345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.773{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.773{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\Publisherthe git development community 13241300x8000000000000000672343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.773{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-import.exe 13241300x8000000000000000672342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.762{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\BinProductVersion2.31.1.1 13241300x8000000000000000672341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.762{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.762{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\Publisherthe git development community 13241300x8000000000000000672339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.762{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-export.exe 13241300x8000000000000000672338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.749{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\BinProductVersion2.31.1.1 13241300x8000000000000000672337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.749{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.749{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\Publisherthe git development community 13241300x8000000000000000672335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.749{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-env--helper.exe 13241300x8000000000000000672334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.736{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\BinProductVersion2.31.1.1 13241300x8000000000000000672333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.736{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.736{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\Publisherthe git development community 13241300x8000000000000000672331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.736{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-difftool.exe 13241300x8000000000000000672330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.730{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\BinProductVersion2.31.1.1 13241300x8000000000000000672329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.730{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.730{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\Publisherthe git development community 13241300x8000000000000000672327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.730{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff.exe 13241300x8000000000000000672326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.715{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\BinProductVersion2.31.1.1 13241300x8000000000000000672325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.715{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.715{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\Publisherthe git development community 13241300x8000000000000000672323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.715{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-tree.exe 13241300x8000000000000000672322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.702{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\BinProductVersion2.31.1.1 13241300x8000000000000000672321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.702{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.701{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\Publisherthe git development community 13241300x8000000000000000672319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.701{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-index.exe 13241300x8000000000000000672318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.687{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\BinProductVersion2.31.1.1 13241300x8000000000000000672317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.687{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.687{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\Publisherthe git development community 13241300x8000000000000000672315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.687{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-files.exe 13241300x8000000000000000672314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.674{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\BinProductVersion2.31.1.1 13241300x8000000000000000672313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.674{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.674{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\Publisherthe git development community 13241300x8000000000000000672311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.674{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-describe.exe 13241300x8000000000000000672310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.666{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\BinProductVersion2.31.1.1 13241300x8000000000000000672309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.665{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LinkDate03/27/2021 09:56:24 13241300x8000000000000000672308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.665{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\Publisherthe git development community 13241300x8000000000000000672307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.665{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-daemon.exe 13241300x8000000000000000672306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.641{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\BinProductVersion2.31.1.1 13241300x8000000000000000672305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.641{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.640{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\Publisherthe git development community 13241300x8000000000000000672303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.640{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential.exe 13241300x8000000000000000672302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.629{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\BinProductVersion(Empty) 13241300x8000000000000000672301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.629{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LinkDate03/27/2021 09:48:42 13241300x8000000000000000672300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.628{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\Publisher(Empty) 13241300x8000000000000000672299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.628{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-wincred.exe 13241300x8000000000000000672298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.627{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\BinProductVersion2.31.1.1 13241300x8000000000000000672297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.627{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.627{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\Publisherthe git development community 13241300x8000000000000000672295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.627{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-store.exe 13241300x8000000000000000672294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.607{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\BinProductVersion1.20.0.0 13241300x8000000000000000672293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.607{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\LinkDate09/05/2019 15:02:13 13241300x8000000000000000672292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\Publishermicrosoft corporation 13241300x8000000000000000672291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager.exe 13241300x8000000000000000672290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\BinProductVersion2.0.394.0 13241300x8000000000000000672289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LinkDate11/18/2091 14:46:43 13241300x8000000000000000672288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\Publishergit-credential-manager-core 13241300x8000000000000000672287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.600{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager-core.exe 13241300x8000000000000000672286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.598{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\BinProductVersion(Empty) 13241300x8000000000000000672285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.598{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.598{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\Publisher(Empty) 13241300x8000000000000000672283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.598{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-helper-selector.exe 13241300x8000000000000000672282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.597{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\BinProductVersion2.31.1.1 13241300x8000000000000000672281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.597{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.597{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\Publisherthe git development community 13241300x8000000000000000672279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.597{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache.exe 13241300x8000000000000000672278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.583{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\BinProductVersion2.31.1.1 13241300x8000000000000000672277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.583{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.583{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\Publisherthe git development community 13241300x8000000000000000672275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.582{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache--daemon.exe 13241300x8000000000000000672274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.565{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\BinProductVersion2.31.1.1 13241300x8000000000000000672273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.565{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.565{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\Publisherthe git development community 13241300x8000000000000000672271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.565{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-count-objects.exe 13241300x8000000000000000672270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.553{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\BinProductVersion2.31.1.1 13241300x8000000000000000672269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.553{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.553{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\Publisherthe git development community 13241300x8000000000000000672267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.553{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-config.exe 13241300x8000000000000000672266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\BinProductVersion2.31.1.1 13241300x8000000000000000672265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\Publisherthe git development community 13241300x8000000000000000672263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.543{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit.exe 13241300x8000000000000000672262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.527{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\BinProductVersion2.31.1.1 13241300x8000000000000000672261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.527{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.527{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\Publisherthe git development community 13241300x8000000000000000672259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.527{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-tree.exe 13241300x8000000000000000672258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.509{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\BinProductVersion2.31.1.1 13241300x8000000000000000672257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.509{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.509{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\Publisherthe git development community 13241300x8000000000000000672255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.509{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-graph.exe 13241300x8000000000000000672254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.497{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\BinProductVersion2.31.1.1 13241300x8000000000000000672253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.497{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.497{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\Publisherthe git development community 13241300x8000000000000000672251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.497{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-column.exe 13241300x8000000000000000672250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\BinProductVersion2.31.1.1 13241300x8000000000000000672249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\Publisherthe git development community 13241300x8000000000000000672247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LowerCaseLongPathc:\program files\git\git-cmd.exe 13241300x8000000000000000672246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\BinProductVersion2.31.1.1 13241300x8000000000000000672245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\Publisherthe git development community 13241300x8000000000000000672243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.478{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clone.exe 13241300x8000000000000000672242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.457{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\BinProductVersion2.31.1.1 13241300x8000000000000000672241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.457{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.457{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\Publisherthe git development community 13241300x8000000000000000672239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.457{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clean.exe 13241300x8000000000000000672238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\BinProductVersion2.31.1.1 13241300x8000000000000000672237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\Publisherthe git development community 13241300x8000000000000000672235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.429{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry.exe 23542300x8000000000000000672234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:03.416{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E049C5C6F47F0EA19BC83AB5D6BDE5D7,SHA256=77CA0823D123BB74FB0ACABC9B0D07F2DC0D626B1D43BF238F24763245632F15,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.396{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\BinProductVersion2.31.1.1 13241300x8000000000000000672232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.396{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.395{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\Publisherthe git development community 13241300x8000000000000000672230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.395{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry-pick.exe 13241300x8000000000000000672229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.371{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\BinProductVersion2.31.1.1 13241300x8000000000000000672228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.371{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.371{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\Publisherthe git development community 13241300x8000000000000000672226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.371{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout.exe 13241300x8000000000000000672225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.349{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\BinProductVersion2.31.1.1 13241300x8000000000000000672224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.349{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LinkDate03/27/2021 09:56:23 354300x8000000000000000572679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:00.873{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52789-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x8000000000000000672223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.349{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\Publisherthe git development community 23542300x8000000000000000672222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:03.345{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=267443EDF66C3EF02A4AA77A9074E76C,SHA256=909622F8659DFEA6CB6676B9CB107E1AF2FC62EDFB83D9F3EA14F195CB622FCB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.345{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout-index.exe 13241300x8000000000000000672220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\BinProductVersion2.31.1.1 13241300x8000000000000000672219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\Publisherthe git development community 13241300x8000000000000000672217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ref-format.exe 13241300x8000000000000000672216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.298{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\BinProductVersion2.31.1.1 13241300x8000000000000000672215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.298{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.298{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\Publisherthe git development community 13241300x8000000000000000672213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.298{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-mailmap.exe 13241300x8000000000000000672212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\BinProductVersion2.31.1.1 13241300x8000000000000000672211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\Publisherthe git development community 13241300x8000000000000000672209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ignore.exe 13241300x8000000000000000672208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.231{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\BinProductVersion2.31.1.1 13241300x8000000000000000672207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.231{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.231{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\Publisherthe git development community 13241300x8000000000000000672205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.231{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-attr.exe 13241300x8000000000000000672204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.198{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\BinProductVersion2.31.1.1 13241300x8000000000000000672203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.198{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.198{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\Publisherthe git development community 13241300x8000000000000000672201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.198{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cat-file.exe 23542300x8000000000000000672200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:03.166{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FB7729A53D4AD8A802CF2ACE902AC2,SHA256=C5D96FC02B5E5A7FCF44515B70DE8C7F5AD940911992D0BEE204A070DF0400EB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.150{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\BinProductVersion2.31.1.1 13241300x8000000000000000672198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.150{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.150{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\Publisherthe git development community 13241300x8000000000000000672196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.150{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bundle.exe 13241300x8000000000000000672195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\BinProductVersion2.31.1.1 13241300x8000000000000000672194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\Publisherthe git development community 13241300x8000000000000000672192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bugreport.exe 13241300x8000000000000000672191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.116{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\BinProductVersion2.31.1.1 13241300x8000000000000000672190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.116{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.116{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\Publisherthe git development community 13241300x8000000000000000672188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.116{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-branch.exe 13241300x8000000000000000672187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.105{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\BinProductVersion2.31.1.1 13241300x8000000000000000672186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.105{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.105{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\Publisherthe git development community 13241300x8000000000000000672184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.105{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-blame.exe 13241300x8000000000000000672183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.088{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\BinProductVersion2.31.1.1 13241300x8000000000000000672182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.088{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.087{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\Publisherthe git development community 13241300x8000000000000000672180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.087{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bisect--helper.exe 13241300x8000000000000000672179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.076{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\BinProductVersion2.31.1.1 13241300x8000000000000000672178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.076{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.076{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\Publisherthe git development community 13241300x8000000000000000672176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.076{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LowerCaseLongPathc:\program files\git\git-bash.exe 13241300x8000000000000000672175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\BinProductVersion(Empty) 13241300x8000000000000000672174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\Publisher(Empty) 13241300x8000000000000000672172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askyesno.exe 13241300x8000000000000000672171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.067{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\BinProductVersion1.20.0.0 13241300x8000000000000000672170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.067{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\LinkDate09/06/2019 12:59:42 13241300x8000000000000000672169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.067{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\Publishermicrosoft corporation 13241300x8000000000000000672168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.067{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-askpass.exe 13241300x8000000000000000672167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\BinProductVersion2.31.1.1 13241300x8000000000000000672166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\Publisherthe git development community 13241300x8000000000000000672164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-archive.exe 13241300x8000000000000000672163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.039{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\BinProductVersion2.31.1.1 13241300x8000000000000000672162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.039{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.039{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\Publisherthe git development community 13241300x8000000000000000672160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.039{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-apply.exe 13241300x8000000000000000672159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:03.010{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\BinProductVersion2.31.1.1 13241300x8000000000000000672158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:03.010{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:03.010{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\Publisherthe git development community 13241300x8000000000000000672156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:03.010{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-annotate.exe 13241300x8000000000000000672155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.999{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\BinProductVersion2.31.1.1 13241300x8000000000000000672154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.999{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.999{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\Publisherthe git development community 13241300x8000000000000000672152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.998{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-am.exe 13241300x8000000000000000672151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.988{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\BinProductVersion2.31.1.1 13241300x8000000000000000672150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.988{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.988{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\Publisherthe git development community 13241300x8000000000000000672148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.988{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-add.exe 13241300x8000000000000000672147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\BinProductVersion(Empty) 13241300x8000000000000000672146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\Publisher(Empty) 13241300x8000000000000000672144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LowerCaseLongPathc:\program files\git\usr\bin\gio-querymodules.exe 13241300x8000000000000000672143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\BinProductVersion0.19.8.0 13241300x8000000000000000672142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LinkDate01/01/1970 04:44:00 13241300x8000000000000000672141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\Publisherfree software foundation 13241300x8000000000000000672140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LowerCaseLongPathc:\program files\git\usr\bin\gettext.exe 13241300x8000000000000000672139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.949{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\BinProductVersion0.19.8.0 13241300x8000000000000000672138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\Publisherfree software foundation 13241300x8000000000000000672136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LowerCaseLongPathc:\program files\git\mingw64\bin\gettext.exe 13241300x8000000000000000672135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.944{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\BinProductVersion(Empty) 13241300x8000000000000000672134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.944{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.944{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\Publisher(Empty) 13241300x8000000000000000672132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.944{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr64.exe 13241300x8000000000000000672131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.934{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\BinProductVersion(Empty) 13241300x8000000000000000672130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.934{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.934{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\Publisher(Empty) 13241300x8000000000000000672128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.934{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr32.exe 13241300x8000000000000000672127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\BinProductVersion(Empty) 13241300x8000000000000000672126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\Publisher(Empty) 13241300x8000000000000000672124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LowerCaseLongPathc:\program files\git\usr\bin\getopt.exe 13241300x8000000000000000672123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\BinProductVersion(Empty) 13241300x8000000000000000672122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.925{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LinkDate03/26/2021 22:24:39 13241300x8000000000000000672121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.925{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\Publisher(Empty) 13241300x8000000000000000672120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.925{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LowerCaseLongPathc:\program files\git\usr\bin\getfacl.exe 13241300x8000000000000000672119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\BinProductVersion(Empty) 13241300x8000000000000000672118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LinkDate03/26/2021 22:24:39 13241300x8000000000000000672117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\Publisher(Empty) 13241300x8000000000000000672116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LowerCaseLongPathc:\program files\git\usr\bin\getconf.exe 13241300x8000000000000000672115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.913{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\BinProductVersion(Empty) 13241300x8000000000000000672114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.913{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LinkDate03/26/2021 22:24:39 13241300x8000000000000000672113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.913{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\Publisher(Empty) 13241300x8000000000000000672112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.913{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LowerCaseLongPathc:\program files\git\usr\bin\gencat.exe 13241300x8000000000000000672111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\BinProductVersion(Empty) 13241300x8000000000000000672110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\Publisher(Empty) 13241300x8000000000000000672108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LowerCaseLongPathc:\program files\git\usr\bin\gdbus.exe 13241300x8000000000000000672107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\BinProductVersion(Empty) 13241300x8000000000000000672106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\Publisher(Empty) 13241300x8000000000000000672104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.910{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LowerCaseLongPathc:\program files\git\usr\bin\gawk.exe 13241300x8000000000000000672103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.900{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\BinProductVersion(Empty) 13241300x8000000000000000672102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.900{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.900{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\Publisher(Empty) 13241300x8000000000000000672100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.900{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LowerCaseLongPathc:\program files\git\usr\bin\gawk-5.0.0.exe 13241300x8000000000000000672099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.891{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\BinProductVersion(Empty) 13241300x8000000000000000672098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.891{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.891{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\Publisher(Empty) 13241300x8000000000000000672096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.891{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LowerCaseLongPathc:\program files\git\usr\bin\gapplication.exe 13241300x8000000000000000672095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.890{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\BinProductVersion(Empty) 13241300x8000000000000000672094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.890{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LinkDate05/08/2031 18:06:26 13241300x8000000000000000672093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.889{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\Publisher(Empty) 13241300x8000000000000000672092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.889{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LowerCaseLongPathc:\program files\git\usr\bin\funzip.exe 13241300x8000000000000000672091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.883{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\BinProductVersion(Empty) 13241300x8000000000000000672090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.883{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.883{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\Publisher(Empty) 13241300x8000000000000000672088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.883{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LowerCaseLongPathc:\program files\git\usr\libexec\frcode.exe 13241300x8000000000000000672087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.882{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\BinProductVersion(Empty) 13241300x8000000000000000672086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.882{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.882{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\Publisher(Empty) 13241300x8000000000000000672084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.882{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LowerCaseLongPathc:\program files\git\usr\bin\fold.exe 13241300x8000000000000000672083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\BinProductVersion(Empty) 13241300x8000000000000000672082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\Publisher(Empty) 13241300x8000000000000000672080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LowerCaseLongPathc:\program files\git\usr\bin\fmt.exe 13241300x8000000000000000672079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\BinProductVersion(Empty) 13241300x8000000000000000672078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\Publisher(Empty) 13241300x8000000000000000672076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LowerCaseLongPathc:\program files\git\usr\bin\find.exe 13241300x8000000000000000672075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\BinProductVersion(Empty) 13241300x8000000000000000672074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\Publisher(Empty) 13241300x8000000000000000672072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LowerCaseLongPathc:\program files\git\usr\bin\file.exe 13241300x8000000000000000672071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\BinProductVersion(Empty) 13241300x8000000000000000672070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\Publisher(Empty) 13241300x8000000000000000672068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.861{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LowerCaseLongPathc:\program files\git\usr\bin\fido2-token.exe 13241300x8000000000000000672067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.858{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\BinProductVersion(Empty) 13241300x8000000000000000672066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.858{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.858{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\Publisher(Empty) 13241300x8000000000000000672064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.858{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LowerCaseLongPathc:\program files\git\usr\bin\fido2-cred.exe 13241300x8000000000000000672063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.855{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\BinProductVersion(Empty) 13241300x8000000000000000672062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.855{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.855{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\Publisher(Empty) 13241300x8000000000000000672060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.855{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LowerCaseLongPathc:\program files\git\usr\bin\fido2-assert.exe 13241300x8000000000000000672059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:02.853{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\BinProductVersion(Empty) 13241300x8000000000000000672058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:02.852{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:02.852{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\Publisher(Empty) 13241300x8000000000000000672056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:02.852{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LowerCaseLongPathc:\program files\git\usr\bin\false.exe 23542300x8000000000000000572681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:04.742{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EC7779205D8E8F6C061E7A8DB66627,SHA256=C45CDF0A584862A6EA935CF0AA698BFFD3BB66A67223458152395C56AC30B5C4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.994{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\BinProductVersion2.31.1.1 13241300x8000000000000000672749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.994{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.994{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\Publisherthe git development community 13241300x8000000000000000672747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.994{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-objects.exe 10341000x8000000000000000672746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.987{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FE0-609D-1456-00000000BA01}4712C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.985{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\BinProductVersion2.31.1.1 13241300x8000000000000000672744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.985{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.985{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\Publisherthe git development community 13241300x8000000000000000672742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.985{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-file.exe 23542300x8000000000000000672741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.983{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465B2894CADA135B6F484D6F915D7D44,SHA256=0AD9CBCF2CF46544E30D0033DAD740F971855F2BB4FF6C440D5EC1C9DB11683B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000672740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.979{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.978{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.978{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.978{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.975{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FE0-609D-1456-00000000BA01}4712C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000672735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.974{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FE0-609D-1456-00000000BA01}4712C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000672734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.962{7B03F3B2-7FE0-609D-1456-00000000BA01}4712C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x8000000000000000672733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.974{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\BinProductVersion2.31.1.1 13241300x8000000000000000672732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.974{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.974{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\Publisherthe git development community 13241300x8000000000000000672730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.974{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-tag.exe 13241300x8000000000000000672729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.965{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\BinProductVersion2.31.1.1 13241300x8000000000000000672728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.965{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.965{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\Publisherthe git development community 13241300x8000000000000000672726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.965{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-symbolic-ref.exe 13241300x8000000000000000672725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.956{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\BinProductVersion2.31.1.1 13241300x8000000000000000672724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.956{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.956{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\Publisherthe git development community 13241300x8000000000000000672722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.956{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-switch.exe 10341000x8000000000000000672721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.953{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-7FE0-609D-1356-00000000BA01}5204C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.946{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\BinProductVersion2.31.1.1 13241300x8000000000000000672719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.946{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.946{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\Publisherthe git development community 13241300x8000000000000000672717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.946{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-submodule--helper.exe 10341000x8000000000000000672716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.941{7B03F3B2-D0C8-609A-0A00-00000000BA01}6247656C:\Windows\system32\services.exe{7B03F3B2-7FE0-609D-1356-00000000BA01}5204C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.935{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\BinProductVersion2.31.1.1 13241300x8000000000000000672712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.935{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LinkDate03/27/2021 09:56:23 10341000x8000000000000000672711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.935{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\Publisherthe git development community 10341000x8000000000000000672709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.935{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stripspace.exe 10341000x8000000000000000672707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.935{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-7FE0-609D-1356-00000000BA01}5204C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000672706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.934{7B03F3B2-D0C8-609A-0A00-00000000BA01}6245532C:\Windows\system32\services.exe{7B03F3B2-7FE0-609D-1356-00000000BA01}5204C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000672705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.923{7B03F3B2-7FE0-609D-1356-00000000BA01}5204C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x8000000000000000672704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\BinProductVersion2.31.1.1 13241300x8000000000000000672703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\Publisherthe git development community 13241300x8000000000000000672701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.926{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-status.exe 10341000x8000000000000000672700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.922{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.922{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.922{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000672697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.921{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-D0C8-609A-0A00-00000000BA01}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000672696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\BinProductVersion2.31.1.1 13241300x8000000000000000672695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\Publisherthe git development community 13241300x8000000000000000672693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stash.exe 13241300x8000000000000000672692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.903{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\BinProductVersion2.31.1.1 13241300x8000000000000000672691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.903{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.903{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\Publisherthe git development community 13241300x8000000000000000672689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.903{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stage.exe 13241300x8000000000000000672688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.890{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\BinProductVersion2.31.1.1 13241300x8000000000000000672687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.890{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.890{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\Publisherthe git development community 13241300x8000000000000000672685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.890{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sparse-checkout.exe 13241300x8000000000000000672684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.877{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\BinProductVersion2.31.1.1 13241300x8000000000000000672683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.877{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.877{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\Publisherthe git development community 13241300x8000000000000000672681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.877{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show.exe 13241300x8000000000000000672680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.863{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\BinProductVersion2.31.1.1 13241300x8000000000000000672679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.863{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.863{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\Publisherthe git development community 13241300x8000000000000000672677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.863{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-ref.exe 13241300x8000000000000000672676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\BinProductVersion2.31.1.1 13241300x8000000000000000672675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\Publisherthe git development community 13241300x8000000000000000672673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.850{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-index.exe 13241300x8000000000000000672672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.837{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\BinProductVersion2.31.1.1 13241300x8000000000000000672671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.837{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.837{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\Publisherthe git development community 13241300x8000000000000000672669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.836{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-branch.exe 13241300x8000000000000000672668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\BinProductVersion2.31.1.1 13241300x8000000000000000672667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\Publisherthe git development community 13241300x8000000000000000672665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-shortlog.exe 23542300x8000000000000000672664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.814{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DEA0DE7C7FF10462CD2D394DC09D5D,SHA256=45C861CB078F4593345E3C49D42AF4FD33E67CE6EC53DE5C8F29F391CE323000,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.807{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\BinProductVersion2.31.1.1 13241300x8000000000000000672662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.807{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LinkDate03/27/2021 09:56:28 13241300x8000000000000000672661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.806{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\Publisherthe git development community 13241300x8000000000000000672660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.806{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe 13241300x8000000000000000672659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.789{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\BinProductVersion2.31.1.1 13241300x8000000000000000672658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.789{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.789{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\Publisherthe git development community 13241300x8000000000000000672656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.789{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-send-pack.exe 13241300x8000000000000000672655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.776{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\BinProductVersion2.31.1.1 13241300x8000000000000000672654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.776{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.776{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\Publisherthe git development community 13241300x8000000000000000672652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.775{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rm.exe 13241300x8000000000000000672651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.765{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\BinProductVersion2.31.1.1 13241300x8000000000000000672650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.765{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.764{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\Publisherthe git development community 13241300x8000000000000000672648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.764{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-revert.exe 13241300x8000000000000000672647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.753{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\BinProductVersion2.31.1.1 13241300x8000000000000000672646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.753{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.752{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\Publisherthe git development community 13241300x8000000000000000672644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.752{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-parse.exe 13241300x8000000000000000672643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\BinProductVersion2.31.1.1 13241300x8000000000000000672642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\Publisherthe git development community 13241300x8000000000000000672640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-list.exe 13241300x8000000000000000672639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.726{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\BinProductVersion2.31.1.1 13241300x8000000000000000672638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.726{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.726{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\Publisherthe git development community 13241300x8000000000000000672636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.726{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-restore.exe 13241300x8000000000000000672635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.713{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\BinProductVersion2.31.1.1 13241300x8000000000000000672634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.713{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.713{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\Publisherthe git development community 13241300x8000000000000000672632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.713{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reset.exe 13241300x8000000000000000672631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\BinProductVersion2.31.1.1 13241300x8000000000000000672630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\Publisherthe git development community 13241300x8000000000000000672628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.699{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rerere.exe 13241300x8000000000000000672627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.686{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\BinProductVersion2.31.1.1 13241300x8000000000000000672626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.686{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.686{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\Publisherthe git development community 13241300x8000000000000000672624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.686{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-replace.exe 13241300x8000000000000000672623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.672{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\BinProductVersion2.31.1.1 13241300x8000000000000000672622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.672{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.672{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\Publisherthe git development community 13241300x8000000000000000672620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.672{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-repack.exe 13241300x8000000000000000672619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.659{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\BinProductVersion2.31.1.1 13241300x8000000000000000672618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.659{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.659{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\Publisherthe git development community 13241300x8000000000000000672616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.659{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote.exe 13241300x8000000000000000672615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.645{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\BinProductVersion2.31.1.1 13241300x8000000000000000672614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.645{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LinkDate03/27/2021 09:56:32 13241300x8000000000000000672613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.645{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\Publisherthe git development community 13241300x8000000000000000672612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.645{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-https.exe 13241300x8000000000000000672611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\BinProductVersion2.31.1.1 13241300x8000000000000000672610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LinkDate03/27/2021 09:56:32 13241300x8000000000000000672609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.626{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\Publisherthe git development community 13241300x8000000000000000672608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.625{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-http.exe 13241300x8000000000000000672607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.608{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\BinProductVersion2.31.1.1 13241300x8000000000000000672606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.608{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LinkDate03/27/2021 09:56:32 13241300x8000000000000000672605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.608{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\Publisherthe git development community 13241300x8000000000000000672604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.608{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftps.exe 13241300x8000000000000000672603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.590{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\BinProductVersion2.31.1.1 13241300x8000000000000000672602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.590{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LinkDate03/27/2021 09:56:32 13241300x8000000000000000672601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.590{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\Publisherthe git development community 13241300x8000000000000000672600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.589{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftp.exe 13241300x8000000000000000672599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.570{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\BinProductVersion2.31.1.1 13241300x8000000000000000672598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.570{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.570{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\Publisherthe git development community 13241300x8000000000000000672596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.570{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-fd.exe 13241300x8000000000000000672595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\BinProductVersion2.31.1.1 13241300x8000000000000000672594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\Publisherthe git development community 13241300x8000000000000000672592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ext.exe 13241300x8000000000000000672591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\BinProductVersion2.31.1.1 13241300x8000000000000000672590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\Publisherthe git development community 13241300x8000000000000000672588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.513{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reflog.exe 13241300x8000000000000000672587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.504{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\BinProductVersion2.31.1.1 13241300x8000000000000000672586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.504{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.504{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\Publisherthe git development community 13241300x8000000000000000672584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.504{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LowerCaseLongPathc:\program files\git\mingw64\bin\git-receive-pack.exe 13241300x8000000000000000672583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.494{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\BinProductVersion2.31.1.1 13241300x8000000000000000672582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.494{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.494{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\Publisherthe git development community 13241300x8000000000000000672580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.494{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-receive-pack.exe 13241300x8000000000000000672579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.485{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\BinProductVersion2.31.1.1 13241300x8000000000000000672578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.485{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.485{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\Publisherthe git development community 13241300x8000000000000000672576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.485{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rebase.exe 13241300x8000000000000000672575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\BinProductVersion2.31.1.1 13241300x8000000000000000672574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\Publisherthe git development community 13241300x8000000000000000672572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.477{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-read-tree.exe 13241300x8000000000000000672571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.467{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\BinProductVersion2.31.1.1 13241300x8000000000000000672570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.467{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.466{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\Publisherthe git development community 13241300x8000000000000000672568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.466{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-range-diff.exe 13241300x8000000000000000672567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.458{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\BinProductVersion2.31.1.1 13241300x8000000000000000672566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.458{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.458{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\Publisherthe git development community 13241300x8000000000000000672564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.458{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-push.exe 23542300x8000000000000000672563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.454{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5F7F2448140ACB627F9FA8E6EE44843,SHA256=D893C6635927C5DF9411F1CF821ED02D2B652A9C2631099B42BA7C76A1BC3015,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.449{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\BinProductVersion2.31.1.1 13241300x8000000000000000672561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.449{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.449{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\Publisherthe git development community 13241300x8000000000000000672559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.449{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pull.exe 13241300x8000000000000000672558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.440{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\BinProductVersion2.31.1.1 13241300x8000000000000000672557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.440{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.440{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\Publisherthe git development community 13241300x8000000000000000672555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.440{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune.exe 13241300x8000000000000000672554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.427{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\BinProductVersion2.31.1.1 13241300x8000000000000000672553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.427{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.427{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\Publisherthe git development community 13241300x8000000000000000672551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.427{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune-packed.exe 23542300x8000000000000000672550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.415{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FB185EC1EFE129E4ECD32869BA9C7D,SHA256=49495906CEB238470B5464157E2A59E49ED02F9217FB2F7F3D4F28A88DAD6DA5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.410{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\BinProductVersion2.31.1.1 13241300x8000000000000000672548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.410{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.409{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\Publisherthe git development community 13241300x8000000000000000672546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.409{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-patch-id.exe 13241300x8000000000000000672545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.400{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\BinProductVersion2.31.1.1 13241300x8000000000000000672544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.400{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.400{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\Publisherthe git development community 13241300x8000000000000000672542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.400{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-refs.exe 13241300x8000000000000000672541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.391{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\BinProductVersion2.31.1.1 13241300x8000000000000000672540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.391{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.391{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\Publisherthe git development community 13241300x8000000000000000672538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.391{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-redundant.exe 13241300x8000000000000000672537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.382{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\BinProductVersion2.31.1.1 13241300x8000000000000000672536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.382{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.382{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\Publisherthe git development community 13241300x8000000000000000672534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.382{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-objects.exe 13241300x8000000000000000672533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.373{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\BinProductVersion2.31.1.1 13241300x8000000000000000672532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.373{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.373{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\Publisherthe git development community 13241300x8000000000000000672530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.373{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-notes.exe 13241300x8000000000000000672529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.364{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\BinProductVersion2.31.1.1 13241300x8000000000000000672528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.364{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.364{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\Publisherthe git development community 13241300x8000000000000000672526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.364{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-name-rev.exe 13241300x8000000000000000672525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.355{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\BinProductVersion2.31.1.1 13241300x8000000000000000672524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.355{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.355{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\Publisherthe git development community 13241300x8000000000000000672522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.355{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mv.exe 13241300x8000000000000000672521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\BinProductVersion2.31.1.1 13241300x8000000000000000672520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\Publisherthe git development community 13241300x8000000000000000672518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.346{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-multi-pack-index.exe 13241300x8000000000000000672517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.337{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\BinProductVersion2.31.1.1 13241300x8000000000000000672516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.337{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.337{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\Publisherthe git development community 13241300x8000000000000000672514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.337{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktree.exe 13241300x8000000000000000672513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\BinProductVersion2.31.1.1 13241300x8000000000000000672512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\Publisherthe git development community 13241300x8000000000000000672510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktag.exe 13241300x8000000000000000672509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.319{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\BinProductVersion2.31.1.1 13241300x8000000000000000672508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\Publisherthe git development community 13241300x8000000000000000672506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge.exe 13241300x8000000000000000672505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.309{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\BinProductVersion2.31.1.1 13241300x8000000000000000672504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.308{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.308{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\Publisherthe git development community 13241300x8000000000000000672502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.308{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-tree.exe 13241300x8000000000000000672501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\BinProductVersion2.31.1.1 13241300x8000000000000000672500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\Publisherthe git development community 13241300x8000000000000000672498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-subtree.exe 13241300x8000000000000000672497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.279{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\BinProductVersion2.31.1.1 13241300x8000000000000000672496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.279{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.279{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\Publisherthe git development community 13241300x8000000000000000672494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.279{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-recursive.exe 13241300x8000000000000000672493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\BinProductVersion2.31.1.1 13241300x8000000000000000672492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\Publisherthe git development community 13241300x8000000000000000672490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-ours.exe 13241300x8000000000000000672489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.262{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\BinProductVersion2.31.1.1 13241300x8000000000000000672488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.262{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.262{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\Publisherthe git development community 13241300x8000000000000000672486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.262{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-index.exe 13241300x8000000000000000672485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.253{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\BinProductVersion2.31.1.1 13241300x8000000000000000672484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.253{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.253{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\Publisherthe git development community 13241300x8000000000000000672482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.253{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-file.exe 13241300x8000000000000000672481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\BinProductVersion2.31.1.1 13241300x8000000000000000672480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\Publisherthe git development community 13241300x8000000000000000672478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.244{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-base.exe 13241300x8000000000000000672477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.236{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\BinProductVersion2.31.1.1 13241300x8000000000000000672476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.236{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.236{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\Publisherthe git development community 13241300x8000000000000000672474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.236{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-maintenance.exe 13241300x8000000000000000672473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\BinProductVersion2.31.1.1 13241300x8000000000000000672472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\Publisherthe git development community 13241300x8000000000000000672470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailsplit.exe 13241300x8000000000000000672469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.219{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\BinProductVersion2.31.1.1 13241300x8000000000000000672468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.219{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.218{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\Publisherthe git development community 13241300x8000000000000000672466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.218{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailinfo.exe 13241300x8000000000000000672465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\BinProductVersion2.31.1.1 13241300x8000000000000000672464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\Publisherthe git development community 13241300x8000000000000000672462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-tree.exe 13241300x8000000000000000672461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.201{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\BinProductVersion2.31.1.1 13241300x8000000000000000672460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.201{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.201{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\Publisherthe git development community 13241300x8000000000000000672458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.201{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-remote.exe 13241300x8000000000000000672457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\BinProductVersion2.31.1.1 13241300x8000000000000000672456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\Publisherthe git development community 13241300x8000000000000000672454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-files.exe 13241300x8000000000000000672453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\BinProductVersion2.31.1.1 13241300x8000000000000000672452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\Publisherthe git development community 13241300x8000000000000000672450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-log.exe 13241300x8000000000000000672449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\BinProductVersion0.0.0.0 13241300x8000000000000000672448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\Publisher(Empty) 13241300x8000000000000000672446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-lfs.exe 23542300x8000000000000000672445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.108{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECDEA221BCEBFB660A6A5966ACE7971,SHA256=18FF2FD0F92A2B7C633B9987760855B48155A8012B18D31E26C4A79E8C057AEC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\BinProductVersion2.31.1.1 13241300x8000000000000000672443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\Publisherthe git development community 13241300x8000000000000000672441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LowerCaseLongPathc:\program files\git\cmd\git-lfs.exe 13241300x8000000000000000672440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\BinProductVersion2.31.1.1 13241300x8000000000000000672439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\Publisherthe git development community 13241300x8000000000000000672437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-interpret-trailers.exe 13241300x8000000000000000672436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.051{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\BinProductVersion2.31.1.1 13241300x8000000000000000672435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.051{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.051{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\Publisherthe git development community 13241300x8000000000000000672433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.051{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init.exe 13241300x8000000000000000672432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.040{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\BinProductVersion2.31.1.1 13241300x8000000000000000672431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.040{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.039{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\Publisherthe git development community 13241300x8000000000000000672429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.039{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init-db.exe 13241300x8000000000000000672428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.025{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\BinProductVersion2.31.1.1 13241300x8000000000000000672427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.025{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.025{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\Publisherthe git development community 13241300x8000000000000000672425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.025{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-index-pack.exe 23542300x8000000000000000672424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:04.016{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED08323D650F7DE5E4E8B6BA9EB982E9,SHA256=FEB771598F996CBEF70E5EC21C7402DBC344AB9FF4923FCDC1FCE4CEF5EE8A0B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:04.011{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\BinProductVersion2.31.1.1 13241300x8000000000000000672422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:04.011{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LinkDate03/27/2021 09:56:26 13241300x8000000000000000672421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:04.011{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\Publisherthe git development community 13241300x8000000000000000672420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:04.011{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-imap-send.exe 23542300x8000000000000000572682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:05.773{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D585469B4A1C701BC86C521F5CA9E9E,SHA256=A5305242ED43C71D8CC773D600751A945DB6EB2413C07EAECE6CFE8D04870F90,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.916{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\BinProductVersion8.6.2.11 13241300x8000000000000000673559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.916{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.916{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\Publisheractivestate corporation 13241300x8000000000000000673557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.916{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh86.exe 13241300x8000000000000000673556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.915{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\BinProductVersion(Empty) 13241300x8000000000000000673555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.915{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.914{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\Publisher(Empty) 13241300x8000000000000000673553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.914{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh8.6.exe|f4af2187e95edf36\LowerCaseLongPathc:\program files\git\usr\bin\tclsh8.6.exe 13241300x8000000000000000673552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.914{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\BinProductVersion8.6.2.11 13241300x8000000000000000673551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.914{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.914{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\Publisheractivestate corporation 13241300x8000000000000000673549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.914{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh.exe 13241300x8000000000000000673548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\BinProductVersion(Empty) 13241300x8000000000000000673547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\Publisher(Empty) 13241300x8000000000000000673545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tclsh.exe|5e019a1593cf699d\LowerCaseLongPathc:\program files\git\usr\bin\tclsh.exe 13241300x8000000000000000673544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\BinProductVersion(Empty) 13241300x8000000000000000673543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\Publisher(Empty) 13241300x8000000000000000673541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.912{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LowerCaseLongPathc:\program files\git\usr\bin\tar.exe 13241300x8000000000000000673540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.905{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\BinProductVersion(Empty) 13241300x8000000000000000673539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.905{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.905{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\Publisher(Empty) 13241300x8000000000000000673537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.905{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LowerCaseLongPathc:\program files\git\usr\bin\tail.exe 13241300x8000000000000000673536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.904{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\BinProductVersion(Empty) 13241300x8000000000000000673535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.904{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.904{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\Publisher(Empty) 13241300x8000000000000000673533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.904{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LowerCaseLongPathc:\program files\git\usr\bin\tac.exe 13241300x8000000000000000673532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.871{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\BinProductVersion(Empty) 13241300x8000000000000000673531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.871{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.870{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\Publisher(Empty) 13241300x8000000000000000673529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.870{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LowerCaseLongPathc:\program files\git\usr\bin\tabs.exe 13241300x8000000000000000673528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.870{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\BinProductVersion(Empty) 13241300x8000000000000000673527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.870{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.870{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\Publisher(Empty) 13241300x8000000000000000673525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.870{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LowerCaseLongPathc:\program files\git\usr\bin\sync.exe 13241300x8000000000000000673524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.869{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\BinProductVersion(Empty) 13241300x8000000000000000673523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\Publisher(Empty) 13241300x8000000000000000673521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LowerCaseLongPathc:\program files\git\usr\bin\sum.exe 13241300x8000000000000000673520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\BinProductVersion(Empty) 13241300x8000000000000000673519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\Publisher(Empty) 13241300x8000000000000000673517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.868{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LowerCaseLongPathc:\program files\git\usr\bin\stty.exe 13241300x8000000000000000673516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.866{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\BinProductVersion(Empty) 13241300x8000000000000000673515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.866{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LinkDate03/26/2021 22:24:41 13241300x8000000000000000673514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.866{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\Publisher(Empty) 13241300x8000000000000000673513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.866{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LowerCaseLongPathc:\program files\git\usr\bin\strace.exe 13241300x8000000000000000673512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\BinProductVersion(Empty) 13241300x8000000000000000673511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\Publisher(Empty) 13241300x8000000000000000673509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.857{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LowerCaseLongPathc:\program files\git\usr\bin\stat.exe 13241300x8000000000000000673508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.856{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\BinProductVersion(Empty) 13241300x8000000000000000673507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.856{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LinkDate03/26/2021 22:24:41 13241300x8000000000000000673506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.856{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\Publisher(Empty) 13241300x8000000000000000673505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.856{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LowerCaseLongPathc:\program files\git\usr\bin\ssp.exe 13241300x8000000000000000673504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.853{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\BinProductVersion(Empty) 13241300x8000000000000000673503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.853{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.853{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\Publisher(Empty) 13241300x8000000000000000673501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.853{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LowerCaseLongPathc:\program files\git\usr\bin\sshd.exe 13241300x8000000000000000673500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.844{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\BinProductVersion(Empty) 13241300x8000000000000000673499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.844{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.844{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\Publisher(Empty) 13241300x8000000000000000673497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.844{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LowerCaseLongPathc:\program files\git\usr\bin\ssh.exe 13241300x8000000000000000673496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.835{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\BinProductVersion(Empty) 13241300x8000000000000000673495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.835{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.835{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\Publisher(Empty) 13241300x8000000000000000673493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.835{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-sk-helper.exe 13241300x8000000000000000673492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.829{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\BinProductVersion(Empty) 13241300x8000000000000000673491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.829{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.829{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\Publisher(Empty) 13241300x8000000000000000673489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.829{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-pkcs11-helper.exe 13241300x8000000000000000673488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\BinProductVersion(Empty) 13241300x8000000000000000673487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\Publisher(Empty) 13241300x8000000000000000673485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.823{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LowerCaseLongPathc:\program files\git\usr\bin\ssh-pageant.exe 13241300x8000000000000000673484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.822{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\BinProductVersion(Empty) 13241300x8000000000000000673483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.822{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.822{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\Publisher(Empty) 13241300x8000000000000000673481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.822{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-keysign.exe 13241300x8000000000000000673480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.815{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\BinProductVersion(Empty) 13241300x8000000000000000673479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.815{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.815{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\Publisher(Empty) 13241300x8000000000000000673477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.815{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keyscan.exe 23542300x8000000000000000673476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.809{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3960B0C0A7722CA9252B354A77BEF6E3,SHA256=AFE4CAF191B64BB4B8ECA37F2CA0DF219B5E7EF55771B16CDCC31C65BFBA9E5B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.809{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\BinProductVersion(Empty) 13241300x8000000000000000673474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.809{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.809{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\Publisher(Empty) 13241300x8000000000000000673472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.809{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keygen.exe 13241300x8000000000000000673471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.802{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\BinProductVersion(Empty) 13241300x8000000000000000673470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.802{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.802{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\Publisher(Empty) 13241300x8000000000000000673468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.802{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-agent.exe 13241300x8000000000000000673467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.796{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\BinProductVersion(Empty) 13241300x8000000000000000673466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.796{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.796{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\Publisher(Empty) 13241300x8000000000000000673464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.796{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LowerCaseLongPathc:\program files\git\usr\bin\ssh-add.exe 13241300x8000000000000000673463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.791{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\BinProductVersion(Empty) 13241300x8000000000000000673462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.791{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.791{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\Publisher(Empty) 13241300x8000000000000000673460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.791{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LowerCaseLongPathc:\program files\git\usr\bin\split.exe 13241300x8000000000000000673459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.790{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\BinProductVersion(Empty) 13241300x8000000000000000673458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.790{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.790{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\Publisher(Empty) 13241300x8000000000000000673456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.790{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LowerCaseLongPathc:\program files\git\usr\bin\sort.exe 13241300x8000000000000000673455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.788{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\BinProductVersion(Empty) 13241300x8000000000000000673454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.788{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.788{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\Publisher(Empty) 13241300x8000000000000000673452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.788{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LowerCaseLongPathc:\program files\git\usr\bin\sleep.exe 13241300x8000000000000000673451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\BinProductVersion(Empty) 13241300x8000000000000000673450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\Publisher(Empty) 13241300x8000000000000000673448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LowerCaseLongPathc:\program files\git\usr\bin\shuf.exe 13241300x8000000000000000673447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\BinProductVersion(Empty) 13241300x8000000000000000673446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\Publisher(Empty) 13241300x8000000000000000673444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.786{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LowerCaseLongPathc:\program files\git\usr\bin\shred.exe 13241300x8000000000000000673443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.785{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\BinProductVersion(Empty) 13241300x8000000000000000673442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.785{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.785{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\Publisher(Empty) 13241300x8000000000000000673440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.785{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LowerCaseLongPathc:\program files\git\usr\bin\sha512sum.exe 13241300x8000000000000000673439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\BinProductVersion(Empty) 13241300x8000000000000000673438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\Publisher(Empty) 13241300x8000000000000000673436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.784{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LowerCaseLongPathc:\program files\git\usr\bin\sha384sum.exe 13241300x8000000000000000673435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\BinProductVersion(Empty) 13241300x8000000000000000673434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\Publisher(Empty) 13241300x8000000000000000673432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LowerCaseLongPathc:\program files\git\usr\bin\sha256sum.exe 13241300x8000000000000000673431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\BinProductVersion(Empty) 13241300x8000000000000000673430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.783{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\Publisher(Empty) 13241300x8000000000000000673428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.782{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LowerCaseLongPathc:\program files\git\usr\bin\sha224sum.exe 13241300x8000000000000000673427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.782{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\BinProductVersion(Empty) 13241300x8000000000000000673426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.782{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.782{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\Publisher(Empty) 13241300x8000000000000000673424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.782{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LowerCaseLongPathc:\program files\git\usr\bin\sha1sum.exe 13241300x8000000000000000673423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.781{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\BinProductVersion2.31.1.1 13241300x8000000000000000673422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.781{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LinkDate03/27/2021 09:48:40 13241300x8000000000000000673421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.781{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\Publisherthe git development community 13241300x8000000000000000673420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.781{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LowerCaseLongPathc:\program files\git\bin\sh.exe 13241300x8000000000000000673419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.780{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\BinProductVersion(Empty) 13241300x8000000000000000673418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.780{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LinkDate12/04/2018 10:21:15 13241300x8000000000000000673417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.779{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\Publisher(Empty) 13241300x8000000000000000673416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.779{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LowerCaseLongPathc:\program files\git\usr\bin\sh.exe 13241300x8000000000000000673415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.764{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\BinProductVersion(Empty) 13241300x8000000000000000673414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.764{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.764{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\Publisher(Empty) 13241300x8000000000000000673412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.764{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LowerCaseLongPathc:\program files\git\usr\bin\sftp.exe 13241300x8000000000000000673411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.761{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\BinProductVersion(Empty) 13241300x8000000000000000673410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.761{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.761{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\Publisher(Empty) 13241300x8000000000000000673408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.761{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LowerCaseLongPathc:\program files\git\usr\lib\ssh\sftp-server.exe 13241300x8000000000000000673407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.759{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\BinProductVersion(Empty) 13241300x8000000000000000673406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.759{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.759{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\Publisher(Empty) 13241300x8000000000000000673404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.759{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LowerCaseLongPathc:\program files\git\mingw64\bin\sexp-conv.exe 13241300x8000000000000000673403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\BinProductVersion(Empty) 13241300x8000000000000000673402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\Publisher(Empty) 13241300x8000000000000000673400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.758{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LowerCaseLongPathc:\program files\git\usr\bin\sexp-conv.exe 13241300x8000000000000000673399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\BinProductVersion(Empty) 13241300x8000000000000000673398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\Publisher(Empty) 13241300x8000000000000000673396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.757{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LowerCaseLongPathc:\program files\git\usr\bin\setmetamode.exe 13241300x8000000000000000673395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.755{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\BinProductVersion(Empty) 13241300x8000000000000000673394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.755{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.755{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\Publisher(Empty) 13241300x8000000000000000673392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.755{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LowerCaseLongPathc:\program files\git\usr\bin\setfacl.exe 13241300x8000000000000000673391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.753{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\BinProductVersion(Empty) 13241300x8000000000000000673390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.753{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.753{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\Publisher(Empty) 13241300x8000000000000000673388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.752{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LowerCaseLongPathc:\program files\git\usr\bin\seq.exe 13241300x8000000000000000673387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.751{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\BinProductVersion(Empty) 13241300x8000000000000000673386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.751{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.751{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\Publisher(Empty) 13241300x8000000000000000673384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.751{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LowerCaseLongPathc:\program files\git\usr\bin\sed.exe 13241300x8000000000000000673383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\BinProductVersion(Empty) 13241300x8000000000000000673382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\Publisher(Empty) 13241300x8000000000000000673380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.748{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LowerCaseLongPathc:\program files\git\usr\bin\sdiff.exe 13241300x8000000000000000673379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.747{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\BinProductVersion(Empty) 13241300x8000000000000000673378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.747{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.747{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\Publisher(Empty) 13241300x8000000000000000673376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.747{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LowerCaseLongPathc:\program files\git\usr\bin\scp.exe 13241300x8000000000000000673375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.745{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\BinProductVersion(Empty) 13241300x8000000000000000673374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.745{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.745{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\Publisher(Empty) 13241300x8000000000000000673372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.745{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\scdaemon.exe 13241300x8000000000000000673371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\BinProductVersion(Empty) 13241300x8000000000000000673370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\Publisher(Empty) 13241300x8000000000000000673368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.739{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LowerCaseLongPathc:\program files\git\usr\bin\rvim.exe 13241300x8000000000000000673367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\BinProductVersion(Empty) 13241300x8000000000000000673366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\Publisher(Empty) 13241300x8000000000000000673364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.719{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LowerCaseLongPathc:\program files\git\usr\bin\rview.exe 13241300x8000000000000000673363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.700{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\BinProductVersion(Empty) 13241300x8000000000000000673362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.700{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.700{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\Publisher(Empty) 13241300x8000000000000000673360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.700{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LowerCaseLongPathc:\program files\git\usr\bin\runcon.exe 13241300x8000000000000000673359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\BinProductVersion(Empty) 13241300x8000000000000000673358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\Publisher(Empty) 13241300x8000000000000000673356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LowerCaseLongPathc:\program files\git\usr\bin\rnano.exe 13241300x8000000000000000673355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\BinProductVersion(Empty) 13241300x8000000000000000673354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\Publisher(Empty) 13241300x8000000000000000673352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LowerCaseLongPathc:\program files\git\usr\lib\tar\rmt.exe 13241300x8000000000000000673351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\BinProductVersion(Empty) 13241300x8000000000000000673350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\Publisher(Empty) 13241300x8000000000000000673348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LowerCaseLongPathc:\program files\git\usr\bin\rmdir.exe 13241300x8000000000000000673347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\BinProductVersion(Empty) 13241300x8000000000000000673346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\Publisher(Empty) 13241300x8000000000000000673344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LowerCaseLongPathc:\program files\git\usr\bin\rm.exe 13241300x8000000000000000673343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\BinProductVersion(Empty) 13241300x8000000000000000673342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\Publisher(Empty) 13241300x8000000000000000673340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LowerCaseLongPathc:\program files\git\usr\bin\reset.exe 13241300x8000000000000000673339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\BinProductVersion(Empty) 13241300x8000000000000000673338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\Publisher(Empty) 13241300x8000000000000000673336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LowerCaseLongPathc:\program files\git\usr\bin\regtool.exe 13241300x8000000000000000673335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\BinProductVersion(Empty) 13241300x8000000000000000673334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\Publisher(Empty) 13241300x8000000000000000673332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LowerCaseLongPathc:\program files\git\usr\bin\recode-sr-latin.exe 13241300x8000000000000000673331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\BinProductVersion(Empty) 13241300x8000000000000000673330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\Publisher(Empty) 13241300x8000000000000000673328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.685{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LowerCaseLongPathc:\program files\git\usr\bin\rebase.exe 13241300x8000000000000000673327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\BinProductVersion(Empty) 13241300x8000000000000000673326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\Publisher(Empty) 13241300x8000000000000000673324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LowerCaseLongPathc:\program files\git\usr\bin\realpath.exe 13241300x8000000000000000673323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\BinProductVersion(Empty) 13241300x8000000000000000673322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\Publisher(Empty) 13241300x8000000000000000673320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LowerCaseLongPathc:\program files\git\usr\bin\readlink.exe 13241300x8000000000000000673319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\BinProductVersion(Empty) 13241300x8000000000000000673318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\Publisher(Empty) 13241300x8000000000000000673316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LowerCaseLongPathc:\program files\git\usr\bin\pwd.exe 13241300x8000000000000000673315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\BinProductVersion(Empty) 13241300x8000000000000000673314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\Publisher(Empty) 13241300x8000000000000000673312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LowerCaseLongPathc:\program files\git\usr\lib\awk\pwcat.exe 13241300x8000000000000000673311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\BinProductVersion(Empty) 13241300x8000000000000000673310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\Publisher(Empty) 13241300x8000000000000000673308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LowerCaseLongPathc:\program files\git\usr\bin\ptx.exe 13241300x8000000000000000673307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\BinProductVersion(Empty) 13241300x8000000000000000673306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\Publisher(Empty) 13241300x8000000000000000673304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LowerCaseLongPathc:\program files\git\usr\bin\psl.exe 13241300x8000000000000000673303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\BinProductVersion(Empty) 13241300x8000000000000000673302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\Publisher(Empty) 13241300x8000000000000000673300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LowerCaseLongPathc:\program files\git\usr\bin\ps.exe 13241300x8000000000000000673299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\BinProductVersion(Empty) 13241300x8000000000000000673298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\Publisher(Empty) 13241300x8000000000000000673296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.669{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LowerCaseLongPathc:\program files\git\mingw64\bin\proxy-lookup.exe 13241300x8000000000000000673295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\BinProductVersion(Empty) 13241300x8000000000000000673294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\Publisher(Empty) 13241300x8000000000000000673292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LowerCaseLongPathc:\program files\git\usr\bin\printf.exe 13241300x8000000000000000673291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\BinProductVersion(Empty) 13241300x8000000000000000673290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\Publisher(Empty) 13241300x8000000000000000673288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LowerCaseLongPathc:\program files\git\usr\bin\printenv.exe 13241300x8000000000000000673287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\BinProductVersion(Empty) 13241300x8000000000000000673286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\Publisher(Empty) 13241300x8000000000000000673284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LowerCaseLongPathc:\program files\git\usr\bin\pr.exe 13241300x8000000000000000673283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\BinProductVersion(Empty) 13241300x8000000000000000673282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\Publisher(Empty) 13241300x8000000000000000673280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LowerCaseLongPathc:\program files\git\usr\bin\pluginviewer.exe 13241300x8000000000000000673279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\BinProductVersion(Empty) 13241300x8000000000000000673278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\Publisher(Empty) 13241300x8000000000000000673276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LowerCaseLongPathc:\program files\git\usr\bin\pldd.exe 13241300x8000000000000000673275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\BinProductVersion(Empty) 13241300x8000000000000000673274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\Publisher(Empty) 13241300x8000000000000000673272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LowerCaseLongPathc:\program files\git\mingw64\bin\pkcs1-conv.exe 13241300x8000000000000000673271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\BinProductVersion(Empty) 13241300x8000000000000000673270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\Publisher(Empty) 13241300x8000000000000000673268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LowerCaseLongPathc:\program files\git\usr\bin\pkcs1-conv.exe 13241300x8000000000000000673267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\BinProductVersion(Empty) 13241300x8000000000000000673266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\Publisher(Empty) 13241300x8000000000000000673264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LowerCaseLongPathc:\program files\git\usr\bin\pinky.exe 13241300x8000000000000000673263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\BinProductVersion(Empty) 13241300x8000000000000000673262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\Publisher(Empty) 13241300x8000000000000000673260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LowerCaseLongPathc:\program files\git\usr\bin\pinentry.exe 13241300x8000000000000000673259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\BinProductVersion(Empty) 13241300x8000000000000000673258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\Publisher(Empty) 13241300x8000000000000000673256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LowerCaseLongPathc:\program files\git\usr\bin\pinentry-w32.exe 13241300x8000000000000000673255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\BinProductVersion(Empty) 13241300x8000000000000000673254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\Publisher(Empty) 13241300x8000000000000000673252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\LowerCaseLongPathc:\program files\git\usr\bin\perl5.32.1.exe 13241300x8000000000000000673251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\BinProductVersion(Empty) 13241300x8000000000000000673250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\Publisher(Empty) 13241300x8000000000000000673248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LowerCaseLongPathc:\program files\git\usr\bin\perl.exe 13241300x8000000000000000673247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\BinProductVersion(Empty) 13241300x8000000000000000673246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\Publisher(Empty) 13241300x8000000000000000673244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.653{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LowerCaseLongPathc:\program files\git\mingw64\bin\pdftotext.exe 13241300x8000000000000000673243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\BinProductVersion(Empty) 13241300x8000000000000000673242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\Publisher(Empty) 13241300x8000000000000000673240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LowerCaseLongPathc:\program files\git\usr\bin\pathchk.exe 13241300x8000000000000000673239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\BinProductVersion(Empty) 13241300x8000000000000000673238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\Publisher(Empty) 13241300x8000000000000000673236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.638{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LowerCaseLongPathc:\program files\git\usr\bin\patch.exe 13241300x8000000000000000673235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\BinProductVersion(Empty) 13241300x8000000000000000673234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\Publisher(Empty) 13241300x8000000000000000673232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LowerCaseLongPathc:\program files\git\usr\bin\paste.exe 13241300x8000000000000000673231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\BinProductVersion(Empty) 13241300x8000000000000000673230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\Publisher(Empty) 13241300x8000000000000000673228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LowerCaseLongPathc:\program files\git\usr\bin\passwd.exe 13241300x8000000000000000673227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\BinProductVersion(Empty) 13241300x8000000000000000673226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\Publisher(Empty) 13241300x8000000000000000673224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LowerCaseLongPathc:\program files\git\usr\bin\p11-kit.exe 13241300x8000000000000000673223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\BinProductVersion(Empty) 13241300x8000000000000000673222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\Publisher(Empty) 13241300x8000000000000000673220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-server.exe 13241300x8000000000000000673219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\BinProductVersion(Empty) 13241300x8000000000000000673218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\Publisher(Empty) 13241300x8000000000000000673216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-remote.exe 13241300x8000000000000000673215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\BinProductVersion1.1.1.11 13241300x8000000000000000673214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LinkDate03/25/2021 15:20:47 13241300x8000000000000000673213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\Publisherthe openssl project, https://www.openssl.org/ 13241300x8000000000000000673212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.622{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LowerCaseLongPathc:\program files\git\mingw64\bin\openssl.exe 13241300x8000000000000000673211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\BinProductVersion1.1.1.11 13241300x8000000000000000673210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\Publisherthe openssl project, https://www.openssl.org/ 13241300x8000000000000000673208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LowerCaseLongPathc:\program files\git\usr\bin\openssl.exe 13241300x8000000000000000673207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\BinProductVersion(Empty) 13241300x8000000000000000673206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\Publisher(Empty) 13241300x8000000000000000673204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LowerCaseLongPathc:\program files\git\mingw64\bin\odt2txt.exe 13241300x8000000000000000673203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\BinProductVersion(Empty) 13241300x8000000000000000673202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\Publisher(Empty) 13241300x8000000000000000673200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LowerCaseLongPathc:\program files\git\usr\bin\od.exe 13241300x8000000000000000673199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\BinProductVersion(Empty) 13241300x8000000000000000673198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\Publisher(Empty) 13241300x8000000000000000673196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LowerCaseLongPathc:\program files\git\usr\bin\numfmt.exe 13241300x8000000000000000673195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\BinProductVersion(Empty) 13241300x8000000000000000673194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\Publisher(Empty) 13241300x8000000000000000673192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LowerCaseLongPathc:\program files\git\usr\bin\nproc.exe 13241300x8000000000000000673191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\BinProductVersion(Empty) 13241300x8000000000000000673190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\Publisher(Empty) 13241300x8000000000000000673188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.606{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LowerCaseLongPathc:\program files\git\usr\bin\nohup.exe 13241300x8000000000000000673187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.605{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\BinProductVersion(Empty) 13241300x8000000000000000673186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.605{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.605{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\Publisher(Empty) 13241300x8000000000000000673184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.605{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LowerCaseLongPathc:\program files\git\usr\bin\nl.exe 13241300x8000000000000000673183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\BinProductVersion(Empty) 13241300x8000000000000000673182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\Publisher(Empty) 13241300x8000000000000000673180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.601{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LowerCaseLongPathc:\program files\git\usr\bin\nice.exe 23542300x8000000000000000673179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.522{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84489B3FA6842ED8B82FF2EB274776A0,SHA256=B4ABE2F3BB62A16DC75200DF3F3B17E7C266C68B6DA35C1AD1CD9B4DE478D17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.472{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C025A2F2AC3E2108A4519937D827A5,SHA256=4A565803B87BCCC880CFD1A6B8AD3EF382C87B67444C10728E863FE23DAE4DE3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.454{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\BinProductVersion0.19.8.0 13241300x8000000000000000673176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.454{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LinkDate01/01/1970 00:00:02 13241300x8000000000000000673175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.453{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\Publisherfree software foundation 13241300x8000000000000000673174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.453{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LowerCaseLongPathc:\program files\git\usr\bin\ngettext.exe 13241300x8000000000000000673173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.453{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\BinProductVersion(Empty) 13241300x8000000000000000673172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.453{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.453{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\Publisher(Empty) 13241300x8000000000000000673170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.453{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LowerCaseLongPathc:\program files\git\usr\bin\nettle-pbkdf2.exe 13241300x8000000000000000673169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.452{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\BinProductVersion(Empty) 13241300x8000000000000000673168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.452{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.452{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\Publisher(Empty) 13241300x8000000000000000673166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.452{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LowerCaseLongPathc:\program files\git\usr\bin\nettle-lfib-stream.exe 13241300x8000000000000000673165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.452{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\BinProductVersion(Empty) 13241300x8000000000000000673164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.452{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.451{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\Publisher(Empty) 13241300x8000000000000000673162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.451{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LowerCaseLongPathc:\program files\git\usr\bin\nettle-hash.exe 13241300x8000000000000000673161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.451{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\BinProductVersion(Empty) 13241300x8000000000000000673160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.451{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.451{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\Publisher(Empty) 13241300x8000000000000000673158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.451{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LowerCaseLongPathc:\program files\git\usr\bin\nano.exe 13241300x8000000000000000673157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.444{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\BinProductVersion(Empty) 13241300x8000000000000000673156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.444{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.444{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\Publisher(Empty) 13241300x8000000000000000673154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.444{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LowerCaseLongPathc:\program files\git\usr\bin\mv.exe 23542300x8000000000000000673153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.350{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3A3C3967F05EC213A3D47E20D0D206,SHA256=1F8F434E2CCC7F36A1057DBC8AFA78A8EAF13132C28BBB1EDBAB7FD71A3E1A8B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\BinProductVersion(Empty) 13241300x8000000000000000673151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LinkDate01/01/1970 00:00:01 13241300x8000000000000000673150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\Publisher(Empty) 13241300x8000000000000000673149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LowerCaseLongPathc:\program files\git\usr\bin\msguniq.exe 13241300x8000000000000000673148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\BinProductVersion(Empty) 13241300x8000000000000000673147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\Publisher(Empty) 13241300x8000000000000000673145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.330{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LowerCaseLongPathc:\program files\git\usr\bin\msgunfmt.exe 13241300x8000000000000000673144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.329{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\BinProductVersion(Empty) 13241300x8000000000000000673143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.329{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.329{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\Publisher(Empty) 13241300x8000000000000000673141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.329{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LowerCaseLongPathc:\program files\git\usr\bin\msgmerge.exe 13241300x8000000000000000673140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\BinProductVersion(Empty) 13241300x8000000000000000673139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LinkDate01/18/2021 06:51:50 13241300x8000000000000000673138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\Publisher(Empty) 13241300x8000000000000000673137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.328{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LowerCaseLongPathc:\program files\git\usr\bin\msginit.exe 13241300x8000000000000000673136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.327{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\BinProductVersion(Empty) 13241300x8000000000000000673135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.327{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.327{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\Publisher(Empty) 13241300x8000000000000000673133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.327{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LowerCaseLongPathc:\program files\git\usr\bin\msggrep.exe 13241300x8000000000000000673132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.325{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\BinProductVersion(Empty) 13241300x8000000000000000673131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.325{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.325{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\Publisher(Empty) 13241300x8000000000000000673129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.325{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LowerCaseLongPathc:\program files\git\usr\bin\msgfmt.exe 13241300x8000000000000000673128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\BinProductVersion(Empty) 13241300x8000000000000000673127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\Publisher(Empty) 13241300x8000000000000000673125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.323{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LowerCaseLongPathc:\program files\git\usr\bin\msgfilter.exe 13241300x8000000000000000673124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.322{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\BinProductVersion(Empty) 13241300x8000000000000000673123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.322{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LinkDate01/01/1970 00:00:01 13241300x8000000000000000673122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.322{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\Publisher(Empty) 13241300x8000000000000000673121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.322{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LowerCaseLongPathc:\program files\git\usr\bin\msgexec.exe 13241300x8000000000000000673120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.321{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\BinProductVersion(Empty) 13241300x8000000000000000673119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.321{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.321{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\Publisher(Empty) 13241300x8000000000000000673117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.321{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LowerCaseLongPathc:\program files\git\usr\bin\msgen.exe 13241300x8000000000000000673116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.321{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\BinProductVersion(Empty) 13241300x8000000000000000673115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.321{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.320{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\Publisher(Empty) 13241300x8000000000000000673113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.320{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LowerCaseLongPathc:\program files\git\usr\bin\msgconv.exe 13241300x8000000000000000673112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.320{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\BinProductVersion(Empty) 13241300x8000000000000000673111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.320{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.320{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\Publisher(Empty) 13241300x8000000000000000673109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.320{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LowerCaseLongPathc:\program files\git\usr\bin\msgcomm.exe 13241300x8000000000000000673108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.319{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\BinProductVersion(Empty) 13241300x8000000000000000673107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.319{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LinkDate05/08/2031 18:06:26 13241300x8000000000000000673106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.319{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\Publisher(Empty) 13241300x8000000000000000673105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.319{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LowerCaseLongPathc:\program files\git\usr\bin\msgcmp.exe 13241300x8000000000000000673104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.318{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\BinProductVersion(Empty) 13241300x8000000000000000673103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.318{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LinkDate01/01/1970 00:00:01 13241300x8000000000000000673102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.318{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\Publisher(Empty) 13241300x8000000000000000673101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.318{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LowerCaseLongPathc:\program files\git\usr\bin\msgcat.exe 13241300x8000000000000000673100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.318{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\BinProductVersion(Empty) 13241300x8000000000000000673099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.318{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LinkDate01/01/1970 00:00:01 13241300x8000000000000000673098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\Publisher(Empty) 13241300x8000000000000000673097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LowerCaseLongPathc:\program files\git\usr\bin\msgattrib.exe 13241300x8000000000000000673096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\BinProductVersion(Empty) 13241300x8000000000000000673095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\Publisher(Empty) 13241300x8000000000000000673093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.317{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LowerCaseLongPathc:\program files\git\usr\bin\mpicalc.exe 13241300x8000000000000000673092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.316{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\BinProductVersion(Empty) 13241300x8000000000000000673091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.316{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.316{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\Publisher(Empty) 13241300x8000000000000000673089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.316{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LowerCaseLongPathc:\program files\git\usr\bin\mount.exe 13241300x8000000000000000673088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.313{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\BinProductVersion(Empty) 13241300x8000000000000000673087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.313{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.313{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\Publisher(Empty) 13241300x8000000000000000673085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.313{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LowerCaseLongPathc:\program files\git\usr\bin\mktemp.exe 13241300x8000000000000000673084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.312{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\BinProductVersion(Empty) 13241300x8000000000000000673083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.312{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.312{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\Publisher(Empty) 13241300x8000000000000000673081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.312{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LowerCaseLongPathc:\program files\git\usr\bin\mkpasswd.exe 13241300x8000000000000000673080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.310{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\BinProductVersion(Empty) 13241300x8000000000000000673079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.310{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.310{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\Publisher(Empty) 13241300x8000000000000000673077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.310{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LowerCaseLongPathc:\program files\git\usr\bin\mknod.exe 13241300x8000000000000000673076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.309{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\BinProductVersion(Empty) 13241300x8000000000000000673075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.309{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.309{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\Publisher(Empty) 13241300x8000000000000000673073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.309{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LowerCaseLongPathc:\program files\git\usr\bin\mkgroup.exe 13241300x8000000000000000673072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.306{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\BinProductVersion(Empty) 13241300x8000000000000000673071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.306{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.306{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\Publisher(Empty) 13241300x8000000000000000673069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.306{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LowerCaseLongPathc:\program files\git\usr\bin\mkfifo.exe 13241300x8000000000000000673068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.305{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\BinProductVersion(Empty) 13241300x8000000000000000673067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.305{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.305{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\Publisher(Empty) 13241300x8000000000000000673065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.305{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LowerCaseLongPathc:\program files\git\usr\bin\mkdir.exe 13241300x8000000000000000673064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.303{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\BinProductVersion0.0.0.0 13241300x8000000000000000673063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.303{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.303{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\Publisherandy koppe / thomas wolff 13241300x8000000000000000673061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.303{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LowerCaseLongPathc:\program files\git\usr\bin\mintty.exe 13241300x8000000000000000673060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.293{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\BinProductVersion(Empty) 13241300x8000000000000000673059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.293{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LinkDate03/26/2021 22:24:40 13241300x8000000000000000673058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.293{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\Publisher(Empty) 13241300x8000000000000000673057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.293{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LowerCaseLongPathc:\program files\git\usr\bin\minidumper.exe 13241300x8000000000000000673056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.291{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\BinProductVersion(Empty) 13241300x8000000000000000673055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.291{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.291{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\Publisher(Empty) 13241300x8000000000000000673053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.291{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LowerCaseLongPathc:\program files\git\usr\bin\md5sum.exe 13241300x8000000000000000673052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.290{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\BinProductVersion(Empty) 13241300x8000000000000000673051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.290{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.290{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\Publisher(Empty) 13241300x8000000000000000673049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.290{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LowerCaseLongPathc:\program files\git\usr\bin\mac2unix.exe 13241300x8000000000000000673048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.289{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\BinProductVersion5.2.5.0 13241300x8000000000000000673047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.289{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.289{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000673045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.289{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmainfo.exe 13241300x8000000000000000673044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\BinProductVersion5.2.5.0 13241300x8000000000000000673043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000673041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.288{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmadec.exe 13241300x8000000000000000673040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.287{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\BinProductVersion(Empty) 13241300x8000000000000000673039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.287{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LinkDate03/26/2021 22:24:39 13241300x8000000000000000673038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.287{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\Publisher(Empty) 13241300x8000000000000000673037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.287{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LowerCaseLongPathc:\program files\git\usr\bin\lsattr.exe 13241300x8000000000000000673036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.285{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\BinProductVersion(Empty) 13241300x8000000000000000673035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.285{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.285{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\Publisher(Empty) 13241300x8000000000000000673033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.285{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LowerCaseLongPathc:\program files\git\usr\bin\ls.exe 13241300x8000000000000000673032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.282{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\BinProductVersion(Empty) 13241300x8000000000000000673031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.282{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.282{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\Publisher(Empty) 13241300x8000000000000000673029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.282{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LowerCaseLongPathc:\program files\git\usr\bin\logname.exe 13241300x8000000000000000673028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.281{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\BinProductVersion(Empty) 13241300x8000000000000000673027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.281{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.281{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\Publisher(Empty) 13241300x8000000000000000673025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.281{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LowerCaseLongPathc:\program files\git\usr\bin\locate.exe 13241300x8000000000000000673024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.278{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\BinProductVersion(Empty) 13241300x8000000000000000673023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.278{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LinkDate03/26/2021 22:24:39 13241300x8000000000000000673022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.278{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\Publisher(Empty) 13241300x8000000000000000673021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.278{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LowerCaseLongPathc:\program files\git\usr\bin\locale.exe 13241300x8000000000000000673020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\BinProductVersion(Empty) 13241300x8000000000000000673019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\Publisher(Empty) 13241300x8000000000000000673017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.275{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LowerCaseLongPathc:\program files\git\usr\bin\ln.exe 13241300x8000000000000000673016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.273{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\BinProductVersion(Empty) 13241300x8000000000000000673015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.273{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.273{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\Publisher(Empty) 13241300x8000000000000000673013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.273{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LowerCaseLongPathc:\program files\git\usr\bin\link.exe 13241300x8000000000000000673012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\BinProductVersion(Empty) 13241300x8000000000000000673011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\Publisher(Empty) 13241300x8000000000000000673009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LowerCaseLongPathc:\program files\git\usr\bin\lesskey.exe 13241300x8000000000000000673008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\BinProductVersion(Empty) 13241300x8000000000000000673007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.271{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.270{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\Publisher(Empty) 13241300x8000000000000000673005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.270{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LowerCaseLongPathc:\program files\git\usr\bin\lessecho.exe 13241300x8000000000000000673004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.270{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\BinProductVersion(Empty) 13241300x8000000000000000673003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.270{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.270{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\Publisher(Empty) 13241300x8000000000000000673001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.270{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LowerCaseLongPathc:\program files\git\usr\bin\less.exe 13241300x8000000000000000673000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.267{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\BinProductVersion(Empty) 13241300x8000000000000000672999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.267{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LinkDate03/26/2021 22:24:41 13241300x8000000000000000672998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.266{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\Publisher(Empty) 13241300x8000000000000000672997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.266{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LowerCaseLongPathc:\program files\git\usr\bin\ldh.exe 13241300x8000000000000000672996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.266{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\BinProductVersion(Empty) 13241300x8000000000000000672995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.266{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LinkDate03/26/2021 22:24:39 13241300x8000000000000000672994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.266{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\Publisher(Empty) 13241300x8000000000000000672993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.266{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LowerCaseLongPathc:\program files\git\usr\bin\ldd.exe 13241300x8000000000000000672992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.263{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\BinProductVersion(Empty) 13241300x8000000000000000672991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.263{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LinkDate03/26/2021 22:24:39 13241300x8000000000000000672990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.263{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\Publisher(Empty) 13241300x8000000000000000672989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.263{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LowerCaseLongPathc:\program files\git\usr\bin\kill.exe 13241300x8000000000000000672988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.261{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\BinProductVersion(Empty) 13241300x8000000000000000672987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.261{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.261{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\Publisher(Empty) 13241300x8000000000000000672985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.261{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LowerCaseLongPathc:\program files\git\usr\bin\kbxutil.exe 13241300x8000000000000000672984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\BinProductVersion(Empty) 13241300x8000000000000000672983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\Publisher(Empty) 13241300x8000000000000000672981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.258{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LowerCaseLongPathc:\program files\git\usr\bin\join.exe 13241300x8000000000000000672980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.257{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\BinProductVersion(Empty) 13241300x8000000000000000672979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.257{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.257{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\Publisher(Empty) 13241300x8000000000000000672977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.257{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LowerCaseLongPathc:\program files\git\usr\bin\install.exe 13241300x8000000000000000672976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.254{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\BinProductVersion(Empty) 13241300x8000000000000000672975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.254{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.254{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\Publisher(Empty) 13241300x8000000000000000672973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.254{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LowerCaseLongPathc:\program files\git\usr\bin\infotocap.exe 13241300x8000000000000000672972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.252{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\BinProductVersion(Empty) 13241300x8000000000000000672971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.252{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.252{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\Publisher(Empty) 13241300x8000000000000000672969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.252{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LowerCaseLongPathc:\program files\git\usr\bin\infocmp.exe 13241300x8000000000000000672968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.252{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\BinProductVersion(Empty) 13241300x8000000000000000672967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.251{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.251{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\Publisher(Empty) 13241300x8000000000000000672965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.251{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LowerCaseLongPathc:\program files\git\usr\bin\id.exe 13241300x8000000000000000672964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.251{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\BinProductVersion(Empty) 13241300x8000000000000000672963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.251{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.251{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\Publisher(Empty) 13241300x8000000000000000672961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.250{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LowerCaseLongPathc:\program files\git\usr\bin\iconv.exe 13241300x8000000000000000672960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.250{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\BinProductVersion(Empty) 13241300x8000000000000000672959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.250{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.250{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\Publisher(Empty) 13241300x8000000000000000672957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.250{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LowerCaseLongPathc:\program files\git\usr\bin\hostname.exe 13241300x8000000000000000672956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.248{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\BinProductVersion(Empty) 13241300x8000000000000000672955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.248{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LinkDate06/19/2025 15:30:53 13241300x8000000000000000672954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.248{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\Publisher(Empty) 13241300x8000000000000000672953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.248{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LowerCaseLongPathc:\program files\git\usr\lib\gettext\hostname.exe 13241300x8000000000000000672952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\BinProductVersion(Empty) 13241300x8000000000000000672951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\Publisher(Empty) 13241300x8000000000000000672949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LowerCaseLongPathc:\program files\git\usr\bin\hostid.exe 13241300x8000000000000000672948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\BinProductVersion(Empty) 13241300x8000000000000000672947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\Publisher(Empty) 13241300x8000000000000000672945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.247{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LowerCaseLongPathc:\program files\git\usr\bin\hmac256.exe 13241300x8000000000000000672944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.246{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\BinProductVersion2.31.1.1 13241300x8000000000000000672943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.246{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LinkDate03/27/2021 09:56:19 13241300x8000000000000000672942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.246{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\Publisherthe git development community 13241300x8000000000000000672941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.246{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\headless-git.exe 13241300x8000000000000000672940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\BinProductVersion(Empty) 13241300x8000000000000000672939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\Publisher(Empty) 13241300x8000000000000000672937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LowerCaseLongPathc:\program files\git\usr\bin\head.exe 13241300x8000000000000000672936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.244{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\BinProductVersion(Empty) 13241300x8000000000000000672935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.244{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.244{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\Publisher(Empty) 13241300x8000000000000000672933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.244{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LowerCaseLongPathc:\program files\git\usr\bin\gzip.exe 13241300x8000000000000000672932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.242{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\BinProductVersion(Empty) 13241300x8000000000000000672931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.242{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.242{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\Publisher(Empty) 13241300x8000000000000000672929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.241{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LowerCaseLongPathc:\program files\git\usr\bin\gsettings.exe 13241300x8000000000000000672928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.241{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\BinProductVersion(Empty) 13241300x8000000000000000672927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.241{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.241{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\Publisher(Empty) 13241300x8000000000000000672925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.241{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LowerCaseLongPathc:\program files\git\usr\bin\groups.exe 13241300x8000000000000000672924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.239{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\BinProductVersion(Empty) 13241300x8000000000000000672923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.239{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.239{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\Publisher(Empty) 13241300x8000000000000000672921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.239{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LowerCaseLongPathc:\program files\git\usr\bin\grep.exe 13241300x8000000000000000672920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.236{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\BinProductVersion(Empty) 13241300x8000000000000000672919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\Publisher(Empty) 13241300x8000000000000000672917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LowerCaseLongPathc:\program files\git\usr\lib\awk\grcat.exe 13241300x8000000000000000672916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\BinProductVersion(Empty) 13241300x8000000000000000672915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\Publisher(Empty) 13241300x8000000000000000672913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.235{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LowerCaseLongPathc:\program files\git\usr\bin\gpgv.exe 13241300x8000000000000000672912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\BinProductVersion(Empty) 13241300x8000000000000000672911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\Publisher(Empty) 13241300x8000000000000000672909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.228{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LowerCaseLongPathc:\program files\git\usr\bin\gpgtar.exe 13241300x8000000000000000672908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.226{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\BinProductVersion(Empty) 13241300x8000000000000000672907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.226{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.226{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\Publisher(Empty) 13241300x8000000000000000672905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.226{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LowerCaseLongPathc:\program files\git\usr\bin\gpgsplit.exe 13241300x8000000000000000672904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.225{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\BinProductVersion(Empty) 13241300x8000000000000000672903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.225{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.225{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\Publisher(Empty) 13241300x8000000000000000672901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.225{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LowerCaseLongPathc:\program files\git\usr\bin\gpgsm.exe 13241300x8000000000000000672900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.219{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\BinProductVersion(Empty) 13241300x8000000000000000672899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.219{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.219{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\Publisher(Empty) 13241300x8000000000000000672897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.218{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LowerCaseLongPathc:\program files\git\usr\bin\gpgscm.exe 13241300x8000000000000000672896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.214{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\BinProductVersion(Empty) 13241300x8000000000000000672895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.214{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.214{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\Publisher(Empty) 13241300x8000000000000000672893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.214{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LowerCaseLongPathc:\program files\git\usr\bin\gpgparsemail.exe 13241300x8000000000000000672892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.213{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\BinProductVersion(Empty) 13241300x8000000000000000672891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.213{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.213{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\Publisher(Empty) 13241300x8000000000000000672889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.213{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LowerCaseLongPathc:\program files\git\usr\bin\gpgconf.exe 13241300x8000000000000000672888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\BinProductVersion(Empty) 13241300x8000000000000000672887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\Publisher(Empty) 13241300x8000000000000000672885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LowerCaseLongPathc:\program files\git\usr\bin\gpg.exe 13241300x8000000000000000672884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.201{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\BinProductVersion(Empty) 13241300x8000000000000000672883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\Publisher(Empty) 13241300x8000000000000000672881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LowerCaseLongPathc:\program files\git\usr\bin\gpg-wks-server.exe 13241300x8000000000000000672880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.197{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\BinProductVersion(Empty) 13241300x8000000000000000672879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.197{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.197{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\Publisher(Empty) 13241300x8000000000000000672877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.197{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-wks-client.exe 13241300x8000000000000000672876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\BinProductVersion(Empty) 13241300x8000000000000000672875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\Publisher(Empty) 13241300x8000000000000000672873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-protect-tool.exe 13241300x8000000000000000672872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.191{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\BinProductVersion(Empty) 13241300x8000000000000000672871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.191{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.191{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\Publisher(Empty) 13241300x8000000000000000672869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.191{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-preset-passphrase.exe 13241300x8000000000000000672868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\BinProductVersion(Empty) 13241300x8000000000000000672867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\Publisher(Empty) 13241300x8000000000000000672865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LowerCaseLongPathc:\program files\git\usr\bin\gpg-error.exe 13241300x8000000000000000672864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.188{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\BinProductVersion(Empty) 13241300x8000000000000000672863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.188{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.188{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\Publisher(Empty) 13241300x8000000000000000672861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.188{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LowerCaseLongPathc:\program files\git\usr\bin\gpg-connect-agent.exe 13241300x8000000000000000672860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.185{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\BinProductVersion(Empty) 13241300x8000000000000000672859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.185{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.185{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\Publisher(Empty) 13241300x8000000000000000672857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.185{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-check-pattern.exe 13241300x8000000000000000672856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.183{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\BinProductVersion(Empty) 13241300x8000000000000000672855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.183{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.182{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\Publisher(Empty) 13241300x8000000000000000672853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.182{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LowerCaseLongPathc:\program files\git\usr\bin\gpg-agent.exe 13241300x8000000000000000672852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\BinProductVersion(Empty) 13241300x8000000000000000672851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\Publisher(Empty) 13241300x8000000000000000672849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LowerCaseLongPathc:\program files\git\usr\bin\gobject-query.exe 13241300x8000000000000000672848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.176{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\BinProductVersion(Empty) 13241300x8000000000000000672847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.176{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.176{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\Publisher(Empty) 13241300x8000000000000000672845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.176{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LowerCaseLongPathc:\program files\git\usr\bin\glib-compile-schemas.exe 13241300x8000000000000000672844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\BinProductVersion(Empty) 13241300x8000000000000000672843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LinkDate01/01/1970 00:00:00 13241300x8000000000000000672842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\Publisher(Empty) 13241300x8000000000000000672841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LowerCaseLongPathc:\program files\git\usr\bin\gkill.exe 13241300x8000000000000000672840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\BinProductVersion2.31.1.1 13241300x8000000000000000672839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LinkDate03/27/2021 09:48:41 13241300x8000000000000000672838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\Publisherthe git development community 13241300x8000000000000000672837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.174{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LowerCaseLongPathc:\program files\git\cmd\gitk.exe 13241300x8000000000000000672836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.170{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\BinProductVersion2.0.394.0 13241300x8000000000000000672835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.170{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LinkDate09/29/2055 20:33:00 13241300x8000000000000000672834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.170{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\Publishergithub.ui 13241300x8000000000000000672833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.170{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.ui.exe 13241300x8000000000000000672832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\BinProductVersion1.5.0.0 13241300x8000000000000000672831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\LinkDate09/05/2019 15:01:45 13241300x8000000000000000672830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\Publishergithub 13241300x8000000000000000672829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.167{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.authentication.exe 13241300x8000000000000000672828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.162{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\BinProductVersion2.31.1.1 13241300x8000000000000000672827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.162{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.162{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\Publisherthe git development community 13241300x8000000000000000672825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.162{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git.exe 23542300x8000000000000000672824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.151{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8198E4CD85477D45C3130EF92BC282,SHA256=4159C5B4890196D822483BE9E3AAA4695387A11D238E55333DCB16AFC5963D1E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000672823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.140{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\BinProductVersion2.31.1.1 13241300x8000000000000000672822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.140{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.140{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\Publisherthe git development community 13241300x8000000000000000672820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.140{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LowerCaseLongPathc:\program files\git\bin\git.exe 13241300x8000000000000000672819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.138{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\BinProductVersion2.31.1.1 13241300x8000000000000000672818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.138{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.138{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\Publisherthe git development community 13241300x8000000000000000672816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.138{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LowerCaseLongPathc:\program files\git\mingw64\bin\git.exe 13241300x8000000000000000672815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.129{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\BinProductVersion2.31.1.1 13241300x8000000000000000672814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.129{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.129{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\Publisherthe git development community 13241300x8000000000000000672812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.129{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LowerCaseLongPathc:\program files\git\cmd\git.exe 13241300x8000000000000000672811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\BinProductVersion2.31.1.1 13241300x8000000000000000672810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\Publisherthe git development community 13241300x8000000000000000672808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.128{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-write-tree.exe 13241300x8000000000000000672807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\BinProductVersion2.31.1.1 13241300x8000000000000000672806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LinkDate03/27/2021 09:48:40 13241300x8000000000000000672805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\Publisherthe git development community 13241300x8000000000000000672804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.118{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LowerCaseLongPathc:\program files\git\mingw64\share\git\git-wrapper.exe 13241300x8000000000000000672803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.117{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\BinProductVersion2.31.1.1 13241300x8000000000000000672802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.117{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.116{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\Publisherthe git development community 13241300x8000000000000000672800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.116{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-worktree.exe 13241300x8000000000000000672799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.107{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\BinProductVersion2.31.1.1 13241300x8000000000000000672798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.107{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.107{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\Publisherthe git development community 13241300x8000000000000000672796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.107{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-whatchanged.exe 13241300x8000000000000000672795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.097{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\BinProductVersion2.31.1.1 13241300x8000000000000000672794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.097{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.097{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\Publisherthe git development community 13241300x8000000000000000672792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.097{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-tag.exe 13241300x8000000000000000672791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.087{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\BinProductVersion2.31.1.1 13241300x8000000000000000672790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.087{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.087{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\Publisherthe git development community 13241300x8000000000000000672788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.087{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-pack.exe 13241300x8000000000000000672787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.077{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\BinProductVersion2.31.1.1 13241300x8000000000000000672786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.077{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.077{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\Publisherthe git development community 13241300x8000000000000000672784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.077{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-commit.exe 10341000x8000000000000000672783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.075{7B03F3B2-7FE0-609D-1456-00000000BA01}47122132C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{7B03F3B2-7FE0-609D-1356-00000000BA01}5204C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 13241300x8000000000000000672782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\BinProductVersion2.31.1.1 13241300x8000000000000000672781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\Publisherthe git development community 13241300x8000000000000000672779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.068{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-var.exe 13241300x8000000000000000672778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\BinProductVersion2.31.1.1 13241300x8000000000000000672777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\Publisherthe git development community 13241300x8000000000000000672775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-pack.exe 13241300x8000000000000000672774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.050{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\BinProductVersion2.31.1.1 13241300x8000000000000000672773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.050{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.050{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\Publisherthe git development community 13241300x8000000000000000672771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.050{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-pack.exe 13241300x8000000000000000672770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\BinProductVersion2.31.1.1 13241300x8000000000000000672769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\Publisherthe git development community 13241300x8000000000000000672767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.041{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-archive.exe 13241300x8000000000000000672766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.032{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\BinProductVersion2.31.1.1 13241300x8000000000000000672765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.032{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.032{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\Publisherthe git development community 13241300x8000000000000000672763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.032{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-archive.exe 13241300x8000000000000000672762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.022{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\BinProductVersion2.31.1.1 13241300x8000000000000000672761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.022{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.022{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\Publisherthe git development community 13241300x8000000000000000672759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.022{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-server-info.exe 13241300x8000000000000000672758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.013{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\BinProductVersion2.31.1.1 13241300x8000000000000000672757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.013{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.013{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\Publisherthe git development community 13241300x8000000000000000672755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.013{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-ref.exe 13241300x8000000000000000672754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.003{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\BinProductVersion2.31.1.1 13241300x8000000000000000672753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.003{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LinkDate03/27/2021 09:56:23 13241300x8000000000000000672752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.003{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\Publisherthe git development community 13241300x8000000000000000672751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.003{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-index.exe 23542300x8000000000000000673848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D22F72CCC6C152B73420E6AAF318DFD,SHA256=670CBE40C7750BD3AA976ECC816231B18D3F0FAD3748DC0E3C850367F2D92174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:06.778{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07427988B82E79F69A81AE587CB5332C,SHA256=176FBB15ACBB6B2B8A11955860061074070E7AB31940EE99B6DB012E48A0DB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.325{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45D80BD060412C176604B9C134E641D,SHA256=040273BFA0867371EF42A1907DB581C0A44DB1516227D9C59203634813D65C80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.259{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=443453CE57BE5604FBC42B764192710D,SHA256=2C50C6B002A41CE798EBD7A40F68AFB260877C1BC25404DD1C6A4B006F3C7231,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.245{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000e88c864b87418038dd1cb1c0f40fac4b0000ffff\PublisherNmap Project 13241300x8000000000000000673844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.243{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\BinProductVersion5.1.20.305 13241300x8000000000000000673843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.243{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\LinkDate08/01/2020 03:04:08 13241300x8000000000000000673842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.243{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\Publisher(Empty) 13241300x8000000000000000673841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.243{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|af59766a7e5a8c5a\LowerCaseLongPathc:\program files\npcap\uninstall.exe 13241300x8000000000000000673840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\BinProductVersion5.1.20.305 13241300x8000000000000000673839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\LinkDate03/05/2021 22:42:31 13241300x8000000000000000673838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\Publisherinsecure.com llc. 13241300x8000000000000000673837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npfinstall.exe|4fcd245e63e11e31\LowerCaseLongPathc:\program files\npcap\npfinstall.exe 13241300x8000000000000000673836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\BinProductVersion5.1.20.305 13241300x8000000000000000673835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\LinkDate03/05/2021 22:42:37 13241300x8000000000000000673834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\Publisherinsecure.com llc. 13241300x8000000000000000673833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\npcap.sys|3741aa4c3d128834\LowerCaseLongPathc:\program files\npcap\npcap.sys 13241300x8000000000000000673832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000e22a0949596eef20fe03957e1f2fbd7e0000ffff\PublisherNotepad++ Team 13241300x8000000000000000673831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\BinProductVersion7.9.5.0 13241300x8000000000000000673830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LinkDate12/15/2018 22:24:36 13241300x8000000000000000673829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\Publisherdon ho don.h@free.fr 13241300x8000000000000000673828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LowerCaseLongPathc:\program files\notepad++\uninstall.exe 13241300x8000000000000000673827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion7.9.5.0 13241300x8000000000000000673826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate03/21/2021 01:15:42 13241300x8000000000000000673825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x8000000000000000673824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.227{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 13241300x8000000000000000673823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.221{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\BinProductVersion5.1.3.0 13241300x8000000000000000673822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.221{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LinkDate03/08/2021 20:02:13 13241300x8000000000000000673821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.221{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\Publisherdon ho don.h@free.fr 13241300x8000000000000000673820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.221{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LowerCaseLongPathc:\program files\notepad++\updater\gup.exe 13241300x8000000000000000673819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.216{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplication\0000df264dabd056fd627673f81b364e56d90000ffff\PublisherThe Git Development Community 13241300x8000000000000000673818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.211{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\BinProductVersion(Empty) 13241300x8000000000000000673817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.211{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.211{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\Publisher(Empty) 13241300x8000000000000000673815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.211{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LowerCaseLongPathc:\program files\git\usr\bin\[.exe 13241300x8000000000000000673814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\BinProductVersion(Empty) 13241300x8000000000000000673813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\Publisher(Empty) 13241300x8000000000000000673811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.210{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\LowerCaseLongPathc:\program files\git\mingw64\bin\ziptool.exe 13241300x8000000000000000673810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.207{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\BinProductVersion(Empty) 13241300x8000000000000000673809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.207{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.207{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\Publisher(Empty) 13241300x8000000000000000673807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.207{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\LowerCaseLongPathc:\program files\git\mingw64\bin\zipmerge.exe 13241300x8000000000000000673806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.204{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\BinProductVersion(Empty) 13241300x8000000000000000673805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.204{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LinkDate05/08/2031 18:06:26 13241300x8000000000000000673804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.204{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\Publisher(Empty) 13241300x8000000000000000673803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.204{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LowerCaseLongPathc:\program files\git\usr\bin\zipinfo.exe 13241300x8000000000000000673802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\BinProductVersion(Empty) 13241300x8000000000000000673801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\Publisher(Empty) 13241300x8000000000000000673799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.200{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\LowerCaseLongPathc:\program files\git\mingw64\bin\zipcmp.exe 13241300x8000000000000000673798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.196{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\BinProductVersion(Empty) 13241300x8000000000000000673797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.196{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.196{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\Publisher(Empty) 13241300x8000000000000000673795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.196{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LowerCaseLongPathc:\program files\git\usr\bin\yes.exe 13241300x8000000000000000673794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.195{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\BinProductVersion(Empty) 13241300x8000000000000000673793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.195{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.195{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\Publisher(Empty) 13241300x8000000000000000673791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.195{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LowerCaseLongPathc:\program files\git\usr\bin\yat2m.exe 13241300x8000000000000000673790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\BinProductVersion5.2.5.0 13241300x8000000000000000673789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000673787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LowerCaseLongPathc:\program files\git\mingw64\bin\xzdec.exe 13241300x8000000000000000673786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\BinProductVersion5.2.5.0 13241300x8000000000000000673785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000673783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.194{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LowerCaseLongPathc:\program files\git\mingw64\bin\xzcat.exe 13241300x8000000000000000673782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\BinProductVersion5.2.5.0 13241300x8000000000000000673781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000673779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.192{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LowerCaseLongPathc:\program files\git\mingw64\bin\xz.exe 13241300x8000000000000000673778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\BinProductVersion(Empty) 13241300x8000000000000000673777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\Publisher(Empty) 13241300x8000000000000000673775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LowerCaseLongPathc:\program files\git\usr\bin\xxd.exe 13241300x8000000000000000673774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\BinProductVersion(Empty) 13241300x8000000000000000673773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\Publisher(Empty) 13241300x8000000000000000673771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.190{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlwf.exe 13241300x8000000000000000673770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\BinProductVersion(Empty) 13241300x8000000000000000673769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LinkDate07/19/2029 06:51:46 13241300x8000000000000000673768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\Publisher(Empty) 13241300x8000000000000000673767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.189{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LowerCaseLongPathc:\program files\git\usr\bin\xgettext.exe 13241300x8000000000000000673766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.183{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\BinProductVersion(Empty) 13241300x8000000000000000673765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.183{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.183{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\Publisher(Empty) 13241300x8000000000000000673763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.183{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LowerCaseLongPathc:\program files\git\usr\bin\xargs.exe 13241300x8000000000000000673762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.182{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\BinProductVersion(Empty) 13241300x8000000000000000673761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.182{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.182{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\Publisher(Empty) 13241300x8000000000000000673759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-deflatehd.exe 13241300x8000000000000000673758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\BinProductVersion(Empty) 13241300x8000000000000000673757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\Publisher(Empty) 13241300x8000000000000000673755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.181{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-inflatehd.exe 13241300x8000000000000000673754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.180{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\BinProductVersion(Empty) 13241300x8000000000000000673753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.180{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.180{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\Publisher(Empty) 13241300x8000000000000000673751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.180{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-agrep.exe 13241300x8000000000000000673750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.179{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\BinProductVersion8.6.2.11 13241300x8000000000000000673749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.179{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.178{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\Publisheractivestate corporation 13241300x8000000000000000673747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.178{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LowerCaseLongPathc:\program files\git\mingw64\bin\wish86.exe 13241300x8000000000000000673746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\BinProductVersion8.6.2.11 13241300x8000000000000000673745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\Publisheractivestate corporation 13241300x8000000000000000673743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.177{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LowerCaseLongPathc:\program files\git\mingw64\bin\wish.exe 13241300x8000000000000000673742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\BinProductVersion(Empty) 13241300x8000000000000000673741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LinkDate11/17/2017 22:11:01 13241300x8000000000000000673740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\Publisher(Empty) 13241300x8000000000000000673739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.175{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LowerCaseLongPathc:\program files\git\mingw64\bin\wintoast.exe 23542300x8000000000000000673738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.172{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A0B7C7CEB7458DEF840E492904CB37,SHA256=93AE8009483CC824B6E133902F1ECDE9BC1E413653757E580E09A2442A01CCD6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.168{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\BinProductVersion(Empty) 13241300x8000000000000000673736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.168{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.168{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\Publisher(Empty) 13241300x8000000000000000673734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.168{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LowerCaseLongPathc:\program files\git\usr\bin\winpty.exe 13241300x8000000000000000673733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.158{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\BinProductVersion(Empty) 13241300x8000000000000000673732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.158{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LinkDate05/08/2031 18:06:26 13241300x8000000000000000673731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.158{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\Publisher(Empty) 13241300x8000000000000000673730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.158{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LowerCaseLongPathc:\program files\git\usr\bin\winpty-debugserver.exe 13241300x8000000000000000673729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\BinProductVersion(Empty) 13241300x8000000000000000673728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LinkDate05/08/2031 18:06:26 13241300x8000000000000000673727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\Publisher(Empty) 13241300x8000000000000000673726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.143{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LowerCaseLongPathc:\program files\git\usr\bin\winpty-agent.exe 23542300x8000000000000000673725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.140{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=22F201BCB9872CA7DD447E54C1254ECD,SHA256=2E9E33E26A9E14B64E8B09303288ECA32233D07A0422913F0B2AEF4673385764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2392338DBFC37DAE560EBA14033A0C18,SHA256=176376052E2E6A0CC1B0C2B6AE1DBB8148D55DD32E6692196E6509C8C6BE9501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.101{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7A404FB36E43C927C1366F39363A31A,SHA256=2D511B114206B6A579B619903E2CD69C2134DB70A93885034F96B4B24CDE7481,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.084{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\BinProductVersion(Empty) 13241300x8000000000000000673721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.084{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.084{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\Publisher(Empty) 13241300x8000000000000000673719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.084{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LowerCaseLongPathc:\program files\git\mingw64\bin\whouses.exe 13241300x8000000000000000673718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\BinProductVersion(Empty) 13241300x8000000000000000673717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\Publisher(Empty) 13241300x8000000000000000673715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.063{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LowerCaseLongPathc:\program files\git\usr\bin\whoami.exe 13241300x8000000000000000673714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.062{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\BinProductVersion(Empty) 13241300x8000000000000000673713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.062{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.062{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\Publisher(Empty) 13241300x8000000000000000673711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.062{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LowerCaseLongPathc:\program files\git\usr\bin\who.exe 13241300x8000000000000000673710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\BinProductVersion(Empty) 13241300x8000000000000000673709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LinkDate01/02/1970 12:24:32 13241300x8000000000000000673708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\Publisher(Empty) 13241300x8000000000000000673707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.061{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LowerCaseLongPathc:\program files\git\usr\bin\which.exe 13241300x8000000000000000673706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\BinProductVersion(Empty) 13241300x8000000000000000673705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\Publisher(Empty) 13241300x8000000000000000673703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LowerCaseLongPathc:\program files\git\usr\bin\wc.exe 23542300x8000000000000000673702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:06.060{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24CE1924C31219B21A21A1A8AAB4D196,SHA256=41B69E280E1EE3AAC00F6C447904FA9AFE927FD683C34205A29383579848C692,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\BinProductVersion(Empty) 13241300x8000000000000000673700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\Publisher(Empty) 13241300x8000000000000000673698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.060{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LowerCaseLongPathc:\program files\git\usr\bin\watchgnupg.exe 13241300x8000000000000000673697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\BinProductVersion(Empty) 13241300x8000000000000000673696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\Publisher(Empty) 13241300x8000000000000000673694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.059{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LowerCaseLongPathc:\program files\git\usr\bin\vimdiff.exe 13241300x8000000000000000673693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.024{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\BinProductVersion(Empty) 13241300x8000000000000000673692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.024{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.024{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\Publisher(Empty) 13241300x8000000000000000673690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.024{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LowerCaseLongPathc:\program files\git\usr\bin\vim.exe 13241300x8000000000000000673689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:06.005{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\BinProductVersion(Empty) 13241300x8000000000000000673688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:06.005{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:06.005{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\Publisher(Empty) 13241300x8000000000000000673686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:06.005{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LowerCaseLongPathc:\program files\git\usr\bin\view.exe 13241300x8000000000000000673685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.984{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\BinProductVersion(Empty) 13241300x8000000000000000673684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.984{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.984{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\Publisher(Empty) 13241300x8000000000000000673682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.984{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LowerCaseLongPathc:\program files\git\usr\bin\vdir.exe 23542300x8000000000000000673681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:05.982{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BDE66A33A4FA23EA0508BBC9F4F467,SHA256=C43E4A27EC2F96D035A55F47E11DCAE5FF730506B9DE48D655FC982D115D9339,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000673680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.981{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\BinProductVersion(Empty) 13241300x8000000000000000673679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.981{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.981{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\Publisher(Empty) 13241300x8000000000000000673677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.981{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LowerCaseLongPathc:\program files\git\usr\bin\users.exe 13241300x8000000000000000673676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.980{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\BinProductVersion(Empty) 13241300x8000000000000000673675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.980{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LinkDate06/19/2025 15:30:53 13241300x8000000000000000673674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.980{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\Publisher(Empty) 13241300x8000000000000000673673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.980{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LowerCaseLongPathc:\program files\git\usr\lib\gettext\urlget.exe 13241300x8000000000000000673672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.979{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\BinProductVersion(Empty) 13241300x8000000000000000673671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.979{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LinkDate05/08/2031 18:06:26 13241300x8000000000000000673670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.979{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\Publisher(Empty) 13241300x8000000000000000673669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.979{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LowerCaseLongPathc:\program files\git\usr\bin\unzipsfx.exe 13241300x8000000000000000673668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.978{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\BinProductVersion(Empty) 13241300x8000000000000000673667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.978{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LinkDate05/08/2031 18:06:26 13241300x8000000000000000673666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.978{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\Publisher(Empty) 13241300x8000000000000000673665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.978{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LowerCaseLongPathc:\program files\git\usr\bin\unzip.exe 13241300x8000000000000000673664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.975{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\BinProductVersion5.2.5.0 13241300x8000000000000000673663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.975{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.975{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\Publisherthe tukaani project <https://tukaani.org/> 13241300x8000000000000000673661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.975{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LowerCaseLongPathc:\program files\git\mingw64\bin\unxz.exe 13241300x8000000000000000673660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.973{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\BinProductVersion(Empty) 13241300x8000000000000000673659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.973{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.973{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\Publisher(Empty) 13241300x8000000000000000673657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.973{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LowerCaseLongPathc:\program files\git\usr\bin\unlink.exe 13241300x8000000000000000673656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.973{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\BinProductVersion(Empty) 13241300x8000000000000000673655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.973{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\Publisher(Empty) 13241300x8000000000000000673653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LowerCaseLongPathc:\program files\git\usr\bin\unix2mac.exe 13241300x8000000000000000673652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\BinProductVersion(Empty) 13241300x8000000000000000673651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\Publisher(Empty) 13241300x8000000000000000673649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.972{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LowerCaseLongPathc:\program files\git\usr\bin\unix2dos.exe 13241300x8000000000000000673648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.971{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\BinProductVersion(Empty) 13241300x8000000000000000673647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.971{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.971{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\Publisher(Empty) 13241300x8000000000000000673645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.971{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LowerCaseLongPathc:\program files\git\usr\bin\uniq.exe 13241300x8000000000000000673644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.970{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\BinProductVersion2.31.1.1 13241300x8000000000000000673643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.970{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LinkDate11/15/2020 09:48:32 13241300x8000000000000000673642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.970{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\Publisherthe git development community 13241300x8000000000000000673641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.970{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LowerCaseLongPathc:\program files\git\unins000.exe 13241300x8000000000000000673640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.951{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\BinProductVersion(Empty) 13241300x8000000000000000673639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.951{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.951{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\Publisher(Empty) 13241300x8000000000000000673637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.951{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LowerCaseLongPathc:\program files\git\usr\bin\unexpand.exe 13241300x8000000000000000673636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\BinProductVersion(Empty) 13241300x8000000000000000673635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\Publisher(Empty) 13241300x8000000000000000673633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.950{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LowerCaseLongPathc:\program files\git\usr\bin\uname.exe 13241300x8000000000000000673632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\BinProductVersion(Empty) 13241300x8000000000000000673631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LinkDate03/26/2021 22:24:41 13241300x8000000000000000673630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\Publisher(Empty) 13241300x8000000000000000673629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.948{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LowerCaseLongPathc:\program files\git\usr\bin\umount.exe 13241300x8000000000000000673628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.946{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\BinProductVersion(Empty) 13241300x8000000000000000673627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.946{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.945{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\Publisher(Empty) 13241300x8000000000000000673625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.945{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LowerCaseLongPathc:\program files\git\usr\bin\u2d.exe 13241300x8000000000000000673624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.945{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\BinProductVersion(Empty) 13241300x8000000000000000673623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.945{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LinkDate03/26/2021 22:24:41 13241300x8000000000000000673622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.945{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\Publisher(Empty) 13241300x8000000000000000673621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.945{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LowerCaseLongPathc:\program files\git\usr\bin\tzset.exe 13241300x8000000000000000673620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.941{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\BinProductVersion(Empty) 13241300x8000000000000000673619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.941{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.941{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\Publisher(Empty) 13241300x8000000000000000673617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.941{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LowerCaseLongPathc:\program files\git\usr\bin\tty.exe 13241300x8000000000000000673616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.940{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\BinProductVersion(Empty) 13241300x8000000000000000673615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.940{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.940{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\Publisher(Empty) 13241300x8000000000000000673613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.940{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LowerCaseLongPathc:\program files\git\usr\bin\tsort.exe 13241300x8000000000000000673612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\BinProductVersion(Empty) 13241300x8000000000000000673611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\Publisher(Empty) 13241300x8000000000000000673609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LowerCaseLongPathc:\program files\git\usr\bin\tset.exe 13241300x8000000000000000673608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\BinProductVersion(Empty) 13241300x8000000000000000673607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\Publisher(Empty) 13241300x8000000000000000673605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.938{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LowerCaseLongPathc:\program files\git\usr\bin\trust.exe 13241300x8000000000000000673604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.934{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\BinProductVersion(Empty) 13241300x8000000000000000673603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.934{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.933{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\Publisher(Empty) 13241300x8000000000000000673601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.933{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LowerCaseLongPathc:\program files\git\usr\bin\truncate.exe 13241300x8000000000000000673600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.933{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\BinProductVersion(Empty) 13241300x8000000000000000673599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.933{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.933{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\Publisher(Empty) 13241300x8000000000000000673597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.933{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LowerCaseLongPathc:\program files\git\usr\bin\true.exe 13241300x8000000000000000673596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.932{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\BinProductVersion(Empty) 13241300x8000000000000000673595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.932{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.932{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\Publisher(Empty) 13241300x8000000000000000673593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.932{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LowerCaseLongPathc:\program files\git\usr\bin\tr.exe 13241300x8000000000000000673592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\BinProductVersion(Empty) 13241300x8000000000000000673591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\Publisher(Empty) 13241300x8000000000000000673589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LowerCaseLongPathc:\program files\git\usr\bin\tput.exe 13241300x8000000000000000673588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\BinProductVersion(Empty) 13241300x8000000000000000673587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\Publisher(Empty) 13241300x8000000000000000673585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.931{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LowerCaseLongPathc:\program files\git\usr\bin\touch.exe 13241300x8000000000000000673584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.929{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\BinProductVersion(Empty) 13241300x8000000000000000673583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.929{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.928{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\Publisher(Empty) 13241300x8000000000000000673581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.928{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LowerCaseLongPathc:\program files\git\usr\bin\toe.exe 13241300x8000000000000000673580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.928{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\BinProductVersion(Empty) 13241300x8000000000000000673579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.928{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.928{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\Publisher(Empty) 13241300x8000000000000000673577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.928{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LowerCaseLongPathc:\program files\git\usr\bin\timeout.exe 13241300x8000000000000000673576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.927{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\BinProductVersion(Empty) 13241300x8000000000000000673575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.927{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.927{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\Publisher(Empty) 13241300x8000000000000000673573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.927{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LowerCaseLongPathc:\program files\git\usr\bin\tig.exe 13241300x8000000000000000673572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\BinProductVersion(Empty) 13241300x8000000000000000673571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\Publisher(Empty) 13241300x8000000000000000673569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.919{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LowerCaseLongPathc:\program files\git\usr\bin\tic.exe 13241300x8000000000000000673568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.918{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\BinProductVersion(Empty) 13241300x8000000000000000673567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.918{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.918{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\Publisher(Empty) 13241300x8000000000000000673565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.918{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LowerCaseLongPathc:\program files\git\usr\bin\test.exe 13241300x8000000000000000673564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-VerSetValue2021-05-13 19:37:05.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\BinProductVersion(Empty) 13241300x8000000000000000673563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-CompileTimeClaimSetValue2021-05-13 19:37:05.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LinkDate01/01/1970 00:00:00 13241300x8000000000000000673562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PubSetValue2021-05-13 19:37:05.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\Publisher(Empty) 13241300x8000000000000000673561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDB-PathSetValue2021-05-13 19:37:05.917{7B03F3B2-7FC6-609D-0256-00000000BA01}6592C:\Windows\system32\CompatTelRunner.exe\REGISTRY\A\{5f4499c3-b0c2-9c54-76a0-07542524398e}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LowerCaseLongPathc:\program files\git\usr\bin\tee.exe 23542300x8000000000000000572684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:07.793{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECC7C4E9B9D0B08140E1BE863C7150C,SHA256=1172976D8414F5EBB52EDFFE596AD77669932AFBA7E4521BEF6C6D896BD99E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:07.975{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A19FD3C3D8642D926C342FDDFAAA2D8,SHA256=A5DC0A5F67E090D0F55AA0B12919963C0FA06F9F07C5D6328D18F127A5F1FB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:07.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11FA66C9C3C5AAB8B6B7C6D02AE6B8A0,SHA256=26BFDC3251FCD8014E9D6FB33650C09150D4D92D2A0A14BE0B8FB6A9FD04E31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:08.988{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=695B73ECFC0A20B91EFF0924E18092E3,SHA256=4F387CFE8624B6114A631291595DE4BC75F17FD0CFD76D36341BC3E829A84F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:08.856{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855845EF37FDFDA98DEEC705DC28F44,SHA256=49720955FDDC8413AD5A7B5E5A8A201DC2B64F7A7BCAF4B7AFC04AE198D7D8F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:06.643{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52790-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:08.043{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F116A599799E69697B11DDF177E3C6DF,SHA256=720102A8AD058E26E55102C073DA3F713DE76875D9E84877FA52A2639C2CD8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:08.043{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA7ACB26D74974DEC0D48F73D7BB024,SHA256=EBCAD8A31248ED81CCD4D6918C255CC5B1EDAB3E76A152CDEAABB164268334D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:09.871{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4762CE9D29AE4A511AB8F3AF3910FF1,SHA256=EF553B5F75B5B8A463F7388B258D650D72ABB6C7E2ED9D03975C68527993AD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:09.257{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D812136669272D5D605D41E3B63CF9A9,SHA256=05F657A2FD052FF828EEBBCE93FA88935B697F615B265B3F9A19A8B39E7D9F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:09.496{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5F0430532F70DB316E81D73BFD2FEBCC,SHA256=0BEC5FDFDDF605C1CA49BF613A2922F0487449DD4C2BE5064E148E924F0A0811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:10.887{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AE5056E9A54600B3491616DFE3364E,SHA256=DE06CEC51B33588262B9544E6B2670A6C492D06738A706FE6E698417C622B282,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:08.491{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51190-false10.0.1.12-8000- 23542300x8000000000000000673853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:10.056{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DF9EEA1C59A25F8DDA620464C3E146,SHA256=1460D9195D6B41FFB295335BEBD3C35850E11CAC991308A2941466493D03C709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:11.918{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A1E78F821E5E92365F2777D72A641C,SHA256=37B3BECC0EB621BA06DEB5FE2FAEE709C59A40DB57D832AE3D4B9FA9B8D60364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:11.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1EA193BDA099C977C73169796ADB10,SHA256=E07497B473738A9233E61267203BD4038FE229A423C5D5F7ADF12A4665A1DE6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:12.965{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E437AD8EA0EA7D4FC7D733AF68E98DB9,SHA256=CFA6BA71D3A26C3CD20B205DD53031E7B1A3CB592F5232CB19C533548D602E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:12.074{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DCF43FC053FD5531D7E9F4DC641068E,SHA256=5BD96C15DDC7E59FE56DD5D82810F4E95C580FFABE974489BDC8FB3ABCEB223F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:11.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52791-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:13.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5C46B716E419ED440D5F2BFCB56D845,SHA256=FBFC9CF64C7667791ABC12662FB5E0FAC11D1114F4E5FE010A46C962F651AD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:13.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F116A599799E69697B11DDF177E3C6DF,SHA256=720102A8AD058E26E55102C073DA3F713DE76875D9E84877FA52A2639C2CD8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:13.091{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D069979C8AAA52389CE2DD2CCEA15A48,SHA256=6E902A83D38A0CD7E61AB69E7CAA2FF24678239FAE685556124E3F9DECE8A04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:14.075{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163CD6F5585FE8A973AF837707DF83D6,SHA256=25F428C405016F6B1D48756419EF1F798B48C38A33A8CFEFE83E321757F7D7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:14.112{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34BBF66E02CC69B2CE18313B7AE5DEBA,SHA256=3EAE9A3E882208A7F61CC55E3E2AEDFEBCAA691E0F15579EC50C84438F601CBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:15.116{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0700C9F5DC506D477C91DB1717A1F105,SHA256=DF9AE3EFBC0DB5C61DEDC49A68EE5D1160CE2E855214DE0D84916677DC2A179E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:15.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1570773764C4C9422C95359D9E5012,SHA256=632DA4CC900CF22920EF8530CEB12306E6003FB2BC24C83CDDDBA1D5A7F4C431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:15.078{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77C607C3E6C3DC93D310D2C128DF4647,SHA256=B682DDAD1FABA307879EB9D8BE134CFABF68649D23D93F36BFAD166DDF793E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:15.078{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3BE80BF9CAA318443A72AC398FBAD8C,SHA256=200D6A3714D3D31C4C1A92D27910FAEF4691C42B2ABA5A3935D30E85C4E240AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:16.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE6366384E1EF2FAB416AE6017D0A3E,SHA256=078F35E5D2AB62469A26EF5B8C4031BCFD75DDFCBB1E946A8C72DEFED5646045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:16.106{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29679B6AEEA3DF51710E3F580EA9C500,SHA256=EE2CF044B454BF281ED713598488AC157B0983649DD43147A14AAE5CD39A4249,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:14.320{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51191-false10.0.1.12-8000- 23542300x8000000000000000572704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:17.106{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442DA115E5AE270F277121BEF44C2F1E,SHA256=FB0B7A0EE13A34ECF0DD6A1B29E58327446AF116EFA9359D44DC7A74AB97CA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:17.215{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA8CA9201A09F62F3D1B8CCF14E3CFE,SHA256=F1004C1ACBD119ACDC22EAB47F010780CF2F5FD6ACAA1DF8FB91D8007C657F31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:17.059{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7922940C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:17.059{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7922940C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:17.059{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7922940C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:17.059{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7922940C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000572708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:16.721{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52792-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:18.137{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA0800B19DD030E19D7989D76FCE65B,SHA256=6971F4F227A7FB8E346F2AA30B2865ABE302EA560EB9860DB2B44D14240889CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:18.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6EB72DC4B1C4F4AE0816E8AC1BF2A2E,SHA256=4B48ED2760DBD5B6D3ED038FD0C7CDD457C002B9CCFD9B6F0BAC82D41F203933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:18.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758C9F0EF3DDBC171F55B0EDD1BA8761,SHA256=841758A34E226B41DCC2A8DC110E27B5C61B75AA264DD0B413F7356CFFCA5896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:18.090{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5C46B716E419ED440D5F2BFCB56D845,SHA256=FBFC9CF64C7667791ABC12662FB5E0FAC11D1114F4E5FE010A46C962F651AD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:19.266{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6605EA3A99586296E761F634057682D,SHA256=196F10C79DA4D158EC5B710382B3A3B216609302AAFEB49F39890396CE8DCA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:19.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B81459036A78A15830CA096D46793C6,SHA256=5AF494C0A8879F43E2D40A51071F7FBC652D4DE9EB37F99782BE260AEA3C67AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:20.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171430924C03DD7B69002C4BD775A473,SHA256=74046B56B01F22DD77748BD9616E79A318959CB99107C59DEB2D894951BEC158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:20.184{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE2E1B61B48BBD4D1CCDF1861B3E125,SHA256=F91983D26195B3954495E5B7D8EA50EA76EB7EF2BE9CB81A00A5698C2C5FF73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:20.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=299C5A5F49B19B65AD72EB999BD2910A,SHA256=82DCCD4BE31FB3655841D3F9216D07B82695A2B0A2270F84562F01B359561179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:20.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77C607C3E6C3DC93D310D2C128DF4647,SHA256=B682DDAD1FABA307879EB9D8BE134CFABF68649D23D93F36BFAD166DDF793E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:21.302{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6342D704DF3AA4075F667B4E42AC679C,SHA256=851427A95617D5811A097D6D339741487D3A1F9A79EFA7476F0B5B9C56B1DC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:21.199{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB0DC916428E56E7411B8EAAE68F38A,SHA256=FD92D33FAB22FF315757A3A780ED2B9D8BA2C43880FE7CB71EA17C826C4C80F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:19.396{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51192-false10.0.1.12-8000- 23542300x8000000000000000673873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:22.420{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=299C5A5F49B19B65AD72EB999BD2910A,SHA256=82DCCD4BE31FB3655841D3F9216D07B82695A2B0A2270F84562F01B359561179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:22.350{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A205AA6F95BBD52CC691897CAB970DF,SHA256=BD86057497B9D4FF647064282AB7A329B898044165F00BE38EC0BF6F1FF5E604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:22.215{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6C76F0CD3B6DFCD6B0021B59A79CA7,SHA256=3C73338B7C43FFA85A9F7092F8744A2A3CCB2B4FFE7E700E1007811753230A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:21.846{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52793-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:23.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5103FC9F9AA7F61BBF7BF773337AD65C,SHA256=9C6087D2E031F58265CE4A8F72524AECCED4F2988F4425DE3CD681BADCEBF4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:23.395{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC1193214B5D6302098FC76416CD0CE,SHA256=809C25BD06B9704B62DCCC4639BE91BF6BF503E672CEE7273F182329DF48E23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:23.231{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351CE88E8E2A26CAB67EC5E8C6A82054,SHA256=CAAD76F76D9C48B08EC19CA96CEA104248E085B3AAB707541E1E228B3D474691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:23.231{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=758C9F0EF3DDBC171F55B0EDD1BA8761,SHA256=841758A34E226B41DCC2A8DC110E27B5C61B75AA264DD0B413F7356CFFCA5896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:24.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644B2E9F8D7993CC7EC88C7EB4F69246,SHA256=E5426CC45C139120F4479D1597309FA6F94F0436C0E056ADDB4C4927A5795C94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:24.246{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20D581B1936E6BEAB728013145954F5,SHA256=10042638B5C895DE7B3CCA861DDE073932341643D0DB76324E4746219EA5AD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:25.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA94A532350C567A03AFE9B31F56E1EA,SHA256=88D8926FC232DC494974D1DDF4160A6F7CAD94E7F1403663D87DCC6AF7C24EFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FF5-609D-FD50-00000000BB01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7FF5-609D-FD50-00000000BB01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.793{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FF5-609D-FD50-00000000BB01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.794{E1BD9FC2-7FF5-609D-FD50-00000000BB01}652C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:25.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E4D41734F6FD89E6B19139A2E11DBC,SHA256=3E252946530392390273159AAF70ADE936AD01D840BD45C37FD9BEBC58E55CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:25.262{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:25.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC294D0B334C301CDEDDF888722D8B6F,SHA256=C7E9524A29B135F248F49EE486492B0733565F11B5ACA046ED62537AF8477EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:26.438{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF8A04AD33A085A51FAB880593ECD01C,SHA256=71A3BDB890EC0C925757AF48E20DC402AF8C94CEB1E1FFF3566E9CAF85F8F203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.836{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=351CE88E8E2A26CAB67EC5E8C6A82054,SHA256=CAAD76F76D9C48B08EC19CA96CEA104248E085B3AAB707541E1E228B3D474691,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FF6-609D-FE50-00000000BB01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7FF6-609D-FE50-00000000BB01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.461{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FF6-609D-FE50-00000000BB01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.462{E1BD9FC2-7FF6-609D-FE50-00000000BB01}3668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:26.325{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7662E2F9AC7ADBC6891F50FFD696AD67,SHA256=54987722555F9679D735E015A51F87CC324FF1E2F1489F11BFF235115E11FC9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:24.487{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51194-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000673881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:24.486{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51194-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000673880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:24.408{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51193-false10.0.1.12-8000- 23542300x8000000000000000673879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:26.306{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE4837302800F9BD3FA2B80EC5E05B1B,SHA256=5E79ED37D7417C622C810C801C31AA4A86AD1BD9D8FA8A16636E0AC2DBB9ADDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:25.486{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51195-false10.0.1.12-8089- 23542300x8000000000000000673885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:27.456{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827CD733A2114050E4A5D47B2B92D95C,SHA256=8D7624AD9D6076CB5C150A4C038FA43762646F5DBA9ACBECA3BC043E3CB49A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.508{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EB60F414E0E4A3CD988FCF74E12CA1,SHA256=F30DB1981987282EDB322A2771648AFBA4007BDD253D8D83A61D0512E478C524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:27.395{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C237ED725F34B29EBBFC09706E711BF,SHA256=45F6A4BF4A95698D28B8279BCC5BDE2DA9B376FF3C91813488419492231A53DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.258{E1BD9FC2-7FF7-609D-FF50-00000000BB01}33722620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FF7-609D-FF50-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-7FF7-609D-FF50-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.133{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FF7-609D-FF50-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.134{E1BD9FC2-7FF7-609D-FF50-00000000BB01}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:28.508{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5387FD1ABACD4D9F9BACBDB596838CC,SHA256=E898BC8A8DE497E14E914F631A7402FEDE28A6F5087256831A46C1AEDB57E510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:28.465{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415F28A0300866A52B5AE34827220B72,SHA256=5BF94FAE10464C849387607102F656480C1CE4C5533A450586F847D62346F6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:28.164{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0556F25359BB276A61277B703ACCB53,SHA256=C73E3C14913F09DA9894D075D63AE5D6BF4AC68C18110203A8E74A209692EDC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:27.764{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52794-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:29.836{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:29.524{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368355052C5BAB8382FE5875C18F3577,SHA256=089841A07EB9B001D963FBD3611CCF18050542F12DEFEA239C676B62EFABC42B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:29.481{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D209F6DA95AA86567864192EAEBC30B0,SHA256=A7BB0CCCC3A666C1C512CF60C0AB1EB6273FACD1B141C36B22F8307BAFFE42F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:29.452{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52795-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000572768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:30.836{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0CB3A68B3A50C9087EB12581E8C6637,SHA256=5679E681E26D7DFA4A60B7C3963DE5109928485022087D5230B14992A4B8E36F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:30.539{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A502A0CF4AFE78F21F3B505A82F19429,SHA256=02CB61E0BA75865144E5B6F482066806D5887E5D8CF6E976749E9BA3EA230A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:30.534{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F205E6845DCA8A52F9D09170CA8A8F32,SHA256=07365061D3DDBCD4130D7871604D22C968D1276DA2B5922C86AB5176BBA9ACB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:30.216{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D46F1F4F2EEFE149239BCFBE55C17339,SHA256=326955B7A03BDA623EBDF2F1063755BE7F55BCA84849573AE6670AFF1BD4BBA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:31.558{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72581BDB950B0332945BDFB8F6316C9D,SHA256=B5E2F8B3CEFF29B7068B3F7A42EE70FFC08B096644F6C99C5BA00763969278C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:31.555{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D277CEBE93B36497D372914569863E3,SHA256=DB0ACDBEB7CB937C8F86BAEA1969D498136263B1989EE7BACAAC512899663009,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:29.443{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51196-false10.0.1.12-8000- 23542300x8000000000000000673893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:32.588{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F19459236BBBB27E6123CABFD084F55F,SHA256=E0DCD7E7977946A58FF9BA1E79E12B4B2FF3318F84837FDB65F7BD48C727FEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:32.556{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67FD9CB35C173DCC51881490D1B20298,SHA256=429911627B4D43782A072786A5B709A5C67EC7EC9365A51DFCB907C011FA62AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:33.618{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64077F4AB631F5328175E462D3812515,SHA256=F9536853323B4511D0100ACB4BF55085B4BC9200BE2EADD2C7D313849D2830B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:33.590{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA0FAC76CF161156D173F3CA0C0B758,SHA256=EEFA6DDB0C794E7C9D713B26BA167CA7FD4118036647AD797D85DA7C4A1CA494,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:32.768{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52796-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:34.607{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CB6910631036686A7B9469A451065C,SHA256=721BE2590FFE4F0507855A033B07906043F962DEC68B63F2B7387321CA97435D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:34.637{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F6B1CCBAA7CC5F6D789939EA8CE0E0,SHA256=7C2F0FB8640C9FF1A9828382CED24B4E04F2FD838E89116350E9C461B29C0E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:34.169{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9792A5A3AC627C5EBA9A60C46238D10D,SHA256=383DDDE03860E823A594F3A917B13E8FE7A7715917EDD09C4304C83B98CEAD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:35.642{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CE297A5BDF222914FF588ED3D8832D,SHA256=EE9A32615D310A6D5BF84FFDD83983928CFD2FC6B764C174665F814A85F15DB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FFF-609D-0151-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-7FFF-609D-0151-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.872{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FFF-609D-0151-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.873{E1BD9FC2-7FFF-609D-0151-00000000BB01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.654{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=995B8B315C0649AAA13B86B5C575CC34,SHA256=E11E7ED594C9E992856B21F71153E7252547FF68CA55070AEB712743FB06676E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.325{E1BD9FC2-7FFF-609D-0051-00000000BB01}37203520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-7FFF-609D-0051-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-7FFF-609D-0051-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-7FFF-609D-0051-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.201{E1BD9FC2-7FFF-609D-0051-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:35.245{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1670FD484BB8736DC5F89B4CE6A4F41,SHA256=3FEF3DDB5E4A80A9B3907DE9AA1DBA561D08AC9DBD39265EE2DA1A23AB9B44BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:35.245{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5263E103952CC34356CE98E569E81E3B,SHA256=685F03D45798C62800A7237A4027116488B0E78A8280A2C839F05BBB38FC98A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:36.664{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540E22655EB80D3AD30DE8B496E61DCC,SHA256=3CD84D91EEC35373BAB55CF254B8FB52C8FDE2DF94BD949985509F386BC70842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.951{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF7CC39ED8800F5B2EE3E422E2052E8,SHA256=3176F911B17B9EF7D3978A72B120C39FE069F0F627FE59E0F4B61D41DE435A47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:34.464{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51197-false10.0.1.12-8000- 10341000x8000000000000000673899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:36.395{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8000-609D-0251-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8000-609D-0251-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.544{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8000-609D-0251-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.545{E1BD9FC2-8000-609D-0251-00000000BB01}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:36.216{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1470FD9128047C0996C3871559BC7DE,SHA256=0116E8231A519130DF40470CA5BBA682776151A1F5F15F069A645599FF073BA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:35.997{E1BD9FC2-7FFF-609D-0151-00000000BB01}32563156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.966{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE45980B29345B4C14670D44270BE7FB,SHA256=F93FBBE00C9473A3C7524E65E76B1B8CDCB2B0C3BACA3832F29C0B73F03FE0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:37.681{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E8E8C5AE7F574681891F5F477DA49,SHA256=EF8583C80A5FA824AF3C5522893A2BB6522038F35AEDDFF18A798FFB8766143F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.763{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C0DCDA5D940366AE3ACBB98DD21562E,SHA256=30C5CC4E529140AA99C6C4DEDADD4100D619501913BEB155F5D6CCC59B0D0AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.341{E1BD9FC2-8001-609D-0351-00000000BB01}23883044C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8001-609D-0351-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8001-609D-0351-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.216{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8001-609D-0351-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:37.217{E1BD9FC2-8001-609D-0351-00000000BB01}2388C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:38.982{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9876206F187AB905B784B00543CB8B02,SHA256=B0889020E4ABFAEB1637B5B0D8F2C8CC8DD65F6D49463340902A11A5E3799C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:38.684{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31B33B36222F3F3BCA211B4E12980A9,SHA256=42FA00FB2A831C7FBC7390980E8C80614CCA585ABD106786F233E3A2F9601846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:39.982{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38A7C000B532343CC934D0F51F4FF45,SHA256=13ABBB4CE881455829C3A44C496C94619830930BFB1A050C8CB63B45F5E296BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:39.694{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F918223E1F59F8DF5D09D937A22CDBB1,SHA256=D1866A08D3D06400BF3143301109B9F4E4EBA9A612ACEC1AA754D1E2C908A520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:40.982{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DDA9D34DA8F26BD0F012A80FC1ACEC7,SHA256=62CB20580FE765E7796C65C0E8AAEB74C87EA1CE79691EBED3141AA066184408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:40.698{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BA3862B6DD0BB4660A9AA8BB5D30437,SHA256=B0B29AB2570B548ADC4355F77D5992B6351521BB885518B102470B3192D87AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:40.185{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F8DB1D700E0985EAAA20969E6454DD,SHA256=DB1A81D773D22DFDEFE55882252430736A124D03E307349D8CB36A537B7AE9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:40.267{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326219D937DF7FD8C99348CCA02A18D0,SHA256=5FFD2C4B4311E2EBB3E17D8F30DB01D348F65BBA51513F1CF9F42AEFB7C03B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:40.263{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1670FD484BB8736DC5F89B4CE6A4F41,SHA256=3FEF3DDB5E4A80A9B3907DE9AA1DBA561D08AC9DBD39265EE2DA1A23AB9B44BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:41.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92DEA53868D7151442E83214E23E901,SHA256=4310996080A09FDAEC8F97E63228E2813859A632F5DFEEAE1F0251EA495EB81E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:38.800{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52797-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000673908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:39.491{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51198-false10.0.1.12-8000- 23542300x8000000000000000673911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:42.852{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05015AC8E51C7E67AADC40DC18DDA5F,SHA256=43B335EF779AC4091B2478004EF2FF1A0BB8F0038774192CC4ADB2792B2192BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:41.998{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB64325873B8D3D2661559B36AEC54EE,SHA256=886A9362B427A9BC410FF59EE216EDA1FD98D17A99EFE5F6E68AAE1A764E3DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:42.581{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=326219D937DF7FD8C99348CCA02A18D0,SHA256=5FFD2C4B4311E2EBB3E17D8F30DB01D348F65BBA51513F1CF9F42AEFB7C03B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:43.865{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D91905BF216C93757D063CAD6A549A9,SHA256=95EF52183DDBD3C55B589F206676C9C8F8D8013C4FF2652BA298EAE1A545A9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:43.013{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F583E2A97E9311B98AD4A02091A6E69A,SHA256=BFE9A814F805C695ADBCFB618D678AC8C26C352A09C7A532C1C5AE8DB67F4F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:44.880{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFAB9FF0169CCD7127B531800FFA8DC2,SHA256=5F01291A18D89206B4FE393139FFFB5589639BD96709C8B4EF3EA375D55975D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:44.044{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B819B96DCF5F1569D0E7E1701C426BED,SHA256=49BF24863B2C6E8BF3D0B29DA7BA8EDBCF7D512B7646A672FB92369F7F8BE999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.905{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465889BA89301DF640669E7677CD2282,SHA256=6BAF3E31176CD1B31816FFFFFE67D924B37553E8BE168D5ED885935762AFA0B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.749{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8009-609D-1656-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.747{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.747{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.747{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.745{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.745{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8009-609D-1656-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.744{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8009-609D-1656-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.744{7B03F3B2-8009-609D-1656-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000673921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.079{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8009-609D-1556-00000000BA01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.070{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8009-609D-1556-00000000BA01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.071{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.071{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.071{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.070{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.070{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8009-609D-1556-00000000BA01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.070{7B03F3B2-8009-609D-1556-00000000BA01}4192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:45.247{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EEAB64F51FC737C8535C3B7207FACD8,SHA256=C6BA067E9A2B930EF840934797CC97F575ECEB38C5E99C5BA1F9331C00AE4FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:45.247{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB4B45481891C840081E90AAD6B532A7,SHA256=274D7B864E982020857FAE2F2764771A9DC230659219C8ECA74487532849E069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:45.076{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=438A49152654F9083D26517148018A99,SHA256=B79AC024A42BD1ECFD83180138FABA0AD18DFD2E0FDDEC9337EACAD30B749D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.925{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA70AF448C23B083F6BD3DA70CACFD3,SHA256=008B57247AB4B0CC1778AD32CFE59F9C57A77D215E9547EA7138E6268CF4EA69,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:43.863{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52798-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:46.107{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C116127B8777CBEA46FF47F569FAF6,SHA256=2CF553CC4BB1E1F5710A2162F1AF23BC1EB0777793FBF80E2FAD36405FBF02F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000673941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:45.327{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51199-false10.0.1.12-8000- 10341000x8000000000000000673940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.426{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-800A-609D-1756-00000000BA01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.424{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.423{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.423{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.423{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.423{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-800A-609D-1756-00000000BA01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.423{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-800A-609D-1756-00000000BA01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.422{7B03F3B2-800A-609D-1756-00000000BA01}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.077{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF726CE17C31CBF9DDC52E04385FEC52,SHA256=0159CC1D96A06B3E2C37E2DEB2DED2F21791F09BF7DBB611B91AC5F5618399CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000673931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:46.010{7B03F3B2-8009-609D-1656-00000000BA01}4544996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.936{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D98F5DECCEB7EA4BDEB61EDCD597425,SHA256=FE159DEEDF35381F05DAD205BAACF2E0BF2D05C67BE6855ED45B5BAAE10514EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:47.168{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4D1BD56B2603EEF48C1AE96E93E2DC,SHA256=3A3E45D927E8F716BA433B4015396C869ED74F31883D3F3AB4540E406358B60C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.904{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-800B-609D-1C56-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.897{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.897{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.897{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.896{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-800B-609D-1C56-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.897{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.896{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-800B-609D-1C56-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.896{7B03F3B2-800B-609D-1C56-00000000BA01}8096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.417{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7862EE89B2D8404E4F432D8705A5EFBE,SHA256=82A6DF727A52AF6E7AED8B794B643BAF93713EE943A15543F3C495E9D16AD76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.417{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A8E194329084A270CAA929B135CF4A7,SHA256=1C83F6F8FFB33862C441F5C42305A9944CAF9C06FBB333B1007374010DFE7645,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.385{7B03F3B2-800B-609D-1A56-00000000BA01}70165392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000673999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.301{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxnmsg.dllMD5=6D4200720B659B72D790526B09FEDFF4,SHA256=66C3CD0325D717523BFD14EAB1CFBE13F614BA753AB125FD734747ACB27EE9CF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000673998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.301{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.sysMD5=060959F9BE8EAEACB47255658A7018CB,SHA256=6EC9C4CEC786FF06EA2D6F547798FAE4E255662219FD5536D5FAC7B6108B729F,IMPHASH=5A9046C211055D28BF0892E100F10D44truetrue 23542300x8000000000000000673997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.285{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.PNFMD5=76ECEA82F53EF95A76B2207ABDD1FC97,SHA256=C2730843E1517FDEECD302D93FC7D629A42C4FE9060F6FCA37A7085759907571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.285{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.285{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.dinMD5=E3142F1ED12D1F1D6574C564FEF14A7F,SHA256=A220E8A7BF2233813DE1EAFD17A075C3B4E071B52E48D9EE17FFA199527A1F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.285{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.catMD5=760F99775B12D3C68FAC49268C261656,SHA256=FDB58B626E4F572F8257D70CA888CC8F2E35B770329FAAADF9BB56C6456C4AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.285{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicInVXN.dllMD5=C8AFAA519298C27D145550F2D57B4F94,SHA256=A92B47A8D57DFBAC758E713EB6A62A5969E4EF00DE3463C1179A8133D0A7D620,IMPHASH=913216F349C3C30723EACBE7EFAC0752truetrue 23542300x8000000000000000673992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.285{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\NicCo4.dllMD5=0BD0040999429E77C02912F052B4A8DC,SHA256=C0109B670B60721665D62C9677B6A816009E7421C341B31DE7B2B76E357694B6,IMPHASH=5A14127160FF1090472EFBA582E1C28Btruetrue 23542300x8000000000000000673991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.254{7B03F3B2-800B-609D-1B56-00000000BA01}4812NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem14.infMD5=1B69FDC8CCD34B8B3743C8A97C2E90AD,SHA256=83CCF811C2F2F9F8337270D5AF00AE41E76F8BE3E83B1B46A9494A350BC4C142,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000673990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-800B-609D-1B56-00000000BA01}4812C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-05-13 19:37:47.054 10341000x8000000000000000673989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-800B-609D-1B56-00000000BA01}48126348C:\Windows\system32\DrvInst.exe{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-800B-609D-1B56-00000000BA01}4812C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-800B-609D-1B56-00000000BA01}4812C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.228{7B03F3B2-800B-609D-1B56-00000000BA01}4812C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn65x64.inf_amd64_c593c0df0f473a4e\vxn65x64.inf" "0" "484ad2367" "0000000000000BEC" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000673981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-800B-609D-1A56-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-800B-609D-1A56-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.217{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-800B-609D-1A56-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.218{7B03F3B2-800B-609D-1A56-00000000BA01}7016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000673973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.201{7B03F3B2-800B-609D-1956-00000000BA01}4808NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.PNFMD5=B15D63802FF9708FFE41993E7158DAEA,SHA256=3FF15732BD811BDFAD0A25C2BF4B2ACA3650A835BF97E95A034336498B702E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.201{7B03F3B2-800B-609D-1956-00000000BA01}4808NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECISystem.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.201{7B03F3B2-800B-609D-1956-00000000BA01}4808NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\NULL_HECI.catMD5=21B9B34047D9F75857F25B19F48B21ED,SHA256=E1BFDF4EDC1AEA9B94D3CC1F531A4BFAD96743900ABE8FDBDD5FEC95C863C08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.154{7B03F3B2-800B-609D-1956-00000000BA01}4808NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem10.infMD5=9BE07E097B29209B5691B485F326B6C1,SHA256=ED89E7D2E5399834E6666ABA7770EDB3CFEFEB9D212951596C58E655CCE909A0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000673969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.154{7B03F3B2-800B-609D-1956-00000000BA01}4808C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-05-13 19:37:47.054 10341000x8000000000000000673968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-800B-609D-1956-00000000BA01}48082764C:\Windows\system32\DrvInst.exe{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-800B-609D-1956-00000000BA01}4808C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.139{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-800B-609D-1956-00000000BA01}4808C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.130{7B03F3B2-800B-609D-1956-00000000BA01}4808C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\null_hecisystem.inf_amd64_fe9d94bd0664c1b8\null_hecisystem.inf" "0" "4deebfe63" "0000000000000BD8" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000673960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.103{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxnmsg.dllMD5=C4FD6144854107881753962266C11543,SHA256=AB9445DA45C287F09C5BE90EEAB1C2ED7B97982A34949C45DA407F390FACBDB3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000673959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.103{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.sysMD5=AF4E936C49B994EF0A141789C2290A16,SHA256=00D327607BF7D7695AE9A6EB94CB34BC1D8828E834F72D61D2748EFF2B3C5BAA,IMPHASH=E2B74CDB105BD582CF5327E3935D9693truetrue 23542300x8000000000000000673958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.088{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.PNFMD5=94A7A207CDB8652E8A64430AA29827D4,SHA256=7200638615D6DD13BA60ABD2583A912D419E352352971324022C07D822C438B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.088{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.088{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.dinMD5=63E4A99BED8B4322CE1A9692E675A125,SHA256=33D07248FDAB322DAC2B1AD7B01269C57BB6A4148191B9D6CABF5BF6C41742A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.088{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.catMD5=6630B6384092EA07EA6444D817194465,SHA256=C9D99D973DBFB23C0EF1B517C27EDA94477D7E5E94A616C20266D344E892E6F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000673954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.088{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicInVXN.dllMD5=8697E77D522CCA7412460E377FBD7438,SHA256=B98871E10F6FA38FB6D8D4270085BF06396300B228D5885419453FA0C6395678,IMPHASH=ADC7B716DB197BAC9AE69CFC2A7017D8truetrue 23542300x8000000000000000673953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.088{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\NicCo36.dllMD5=4AA441F4AD7491BDB2162F87A1DA6A3A,SHA256=56954C185A7D8CCD391C08FA998B59B13765688CD53BBCFC56E4FE2079B5E4BB,IMPHASH=DD763F8C38ECDB2B8D750E0941DC51EFtruetrue 23542300x8000000000000000673952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.054{7B03F3B2-800B-609D-1856-00000000BA01}7668NT AUTHORITY\SYSTEMC:\Windows\system32\DrvInst.exeC:\Windows\INF\oem3.infMD5=199ACC11483A48E8BA7B02842AC2BE15,SHA256=9F3558265B484A5239797B4052E420237A40BCA34D1BE108EA9DD7E462FC6F11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000673951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.054{7B03F3B2-800B-609D-1856-00000000BA01}7668C:\Windows\system32\DrvInst.exeC:\Windows\System32\DriverStore\drvstore.tmp2021-05-13 19:37:47.054 10341000x8000000000000000673950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.054{7B03F3B2-800B-609D-1856-00000000BA01}76684024C:\Windows\system32\DrvInst.exe{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\DrvInst.exe+dc1e|C:\Windows\system32\DrvInst.exe+11cf|C:\Windows\system32\DrvInst.exe+158cd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.038{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.038{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.038{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.038{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000673945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.038{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-800B-609D-1856-00000000BA01}7668C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000673944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.038{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-800B-609D-1856-00000000BA01}7668C:\Windows\system32\DrvInst.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\umpnpmgr.dll+b0b2|c:\windows\system32\umpnpmgr.dll+9f88|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000673943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:47.034{7B03F3B2-800B-609D-1856-00000000BA01}7668C:\Windows\System32\drvinst.exe10.0.14393.0 (rs1_release.160715-1616)Driver Installation ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationDrvInst.EXEDrvInst.exe "5" "0" "C:\Windows\System32\DriverStore\FileRepository\vxn64x64.inf_amd64_df877aee8011acb4\vxn64x64.inf" "0" "48643ea57" "00000000000008E4" "WinSta0\Default"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=188CE3916E9FD3D123F38F01F8F8B93C,SHA256=C196086017725E8724DAB1DFDFABA9F4B7CFACD47A885BCC81984F8BC78D9F75,IMPHASH=35385286B2F23FB279C3D2868A503474{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000674016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:48.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A55875BF5224B5EB0E2FC1EF70444734,SHA256=1CA8D97288DAFE22E7BF750C7E1EEF182EC5F6A443EC22C5FAAF1A24B8435CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:48.215{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82AD15E3D4286CAB768F7B366315936C,SHA256=1E09C15DA4612F141497BFDE25ABE13765FF5CDB9E964DAE72588EACBCD6C2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:48.912{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED1826C4F5C3E61B74DD899897A97C9F,SHA256=27D3B0CCDAFF2636F081FA7A18ABA1ACD8A0C1C3555D8127327172BFCF890F8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:48.149{7B03F3B2-800B-609D-1C56-00000000BA01}80963364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:48.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=110BE0A1E40C07A8DD27819F1040B4E8,SHA256=5A33D44D56BA2E5144EA1345C426A92C56A610042802890DB642685DD6390736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:48.038{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=22F201BCB9872CA7DD447E54C1254ECD,SHA256=2E9E33E26A9E14B64E8B09303288ECA32233D07A0422913F0B2AEF4673385764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:49.995{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A1EECC23E6C30FAC342DFD70918179,SHA256=70EB698A56965053A7E6FE26816B7B3BFB35D781C7F9DF88CA37A944A9E04F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:49.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4FEBFFCEBDD3E2CEB23300FA2281F4,SHA256=965DD9C39B67C6AFB310B04C85A8770F1D1F4857C20FDD8E6655000A08AB3F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:49.143{7B03F3B2-31A0-609C-4F2D-00000000BA01}968ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\AMY8E9NH\views[1]MD5=A726593A8261930E4786375106FC6BFE,SHA256=E6BFDFBB9A0649EA9D38DE4255C355C581097E6A1035A54943260B22AD45F172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:49.143{7B03F3B2-31A0-609C-4F2D-00000000BA01}968ATTACKRANGE\AdministratorC:\Windows\system32\taskhostw.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DT9B8L13\views[1]MD5=BEE1758A485085BB8A121EB74BA7E96F,SHA256=EDCAD5B1CE8A304B70B8C9EA57D4AEAB740D979FFA59243B943011CB1BA4D57E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:50.340{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36FB7F5ED8A75216C91C8A7BE52689C3,SHA256=41DDA66D9CBAE2AB656C7B0620A07D5F9AE9A7B5C909012E7FDFCB86AFAB80FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-800E-609D-1D56-00000000BA01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-800E-609D-1D56-00000000BA01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.878{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-800E-609D-1D56-00000000BA01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:50.879{7B03F3B2-800E-609D-1D56-00000000BA01}6012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:50.262{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00FC11E605A45373D6CD49211B90F298,SHA256=98D03A0AA41804F50A59F765BA5D69898BC6A581C81E72BDFD05960FD04C8D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:50.262{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EEAB64F51FC737C8535C3B7207FACD8,SHA256=C6BA067E9A2B930EF840934797CC97F575ECEB38C5E99C5BA1F9331C00AE4FBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:48.877{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52799-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:51.418{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CA0ECA974C448D113E5AE5773ABDA8,SHA256=5FC64C632A979DB518A175F75727B051A8B08D2E920F3F7C926E51633EC2531F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.879{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=766416B1E0FD8FE747A57F85F87B55DE,SHA256=C8F0E40D46CBC04A574505CCA19612F930B621ACA78DDC158CE5084E38B74E35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-800F-609D-1E56-00000000BA01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-800F-609D-1E56-00000000BA01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.463{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-800F-609D-1E56-00000000BA01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.465{7B03F3B2-800F-609D-1E56-00000000BA01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000674029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.230{7B03F3B2-800E-609D-1D56-00000000BA01}60124040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.141{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863DA0562B3B9201B00FA353ACC53A94,SHA256=31B69732E28F7FA739AA34DD4FB3EA97AEB1290417DBA5DA8D386E904BC28A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:52.481{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A942D34BE96B74EB8D4325F2BAA821,SHA256=37C6062DFC8B2B69CA91AACFEACBE4441C5D1BD595B4308A51069104C6CA232B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:51.364{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51200-false10.0.1.12-8000- 23542300x8000000000000000674039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:52.149{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56720C189FF03A75FC765692E3B10D2E,SHA256=75B8A91C1E716A325981D0AB88A51430779659CBC19DA2C5C561896F0031A6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:53.512{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11A14B71F116A3FD302C5971E310AF73,SHA256=C73E62F0F630583443F26CE5135A79FD6EF98C29DD664C0BE6225D26559A588D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.563{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D91BE5E6E4754506937B60A843A2AFED,SHA256=B39D8DD7EA2A87E5CEEB06668AEF7C509A6AF658EC36A231409F75DF1E9C1F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.479{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruetrue 23542300x8000000000000000674185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.479{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruetrue 23542300x8000000000000000674184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.463{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruetrue 23542300x8000000000000000674183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.463{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruetrue 23542300x8000000000000000674182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.448{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truetrue 23542300x8000000000000000674181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.448{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truetrue 23542300x8000000000000000674180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.448{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truetrue 23542300x8000000000000000674179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.432{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truetrue 23542300x8000000000000000674178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.432{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truetrue 23542300x8000000000000000674177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.432{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truetrue 23542300x8000000000000000674176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.432{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truetrue 23542300x8000000000000000674175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.429{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truetrue 23542300x8000000000000000674174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.426{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruetrue 23542300x8000000000000000674173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truetrue 23542300x8000000000000000674172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truetrue 23542300x8000000000000000674171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truetrue 23542300x8000000000000000674170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.411{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.395{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruetrue 23542300x8000000000000000674146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.379{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruetrue 23542300x8000000000000000674145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.363{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truetrue 23542300x8000000000000000674144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.363{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truetrue 23542300x8000000000000000674143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.363{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truetrue 23542300x8000000000000000674142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.363{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruetrue 23542300x8000000000000000674141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.348{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truetrue 23542300x8000000000000000674140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.348{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruetrue 23542300x8000000000000000674139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.348{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639A21AC8D37711D35EC0C076AF77E49,SHA256=1E7667B9D99B9D4BE658AFD02DC5BCF14C82715BCC76C358126411C56B94E206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.348{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truetrue 23542300x8000000000000000674137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.332{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.332{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.332{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.332{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.330{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.329{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.328{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.327{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.326{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.311{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.295{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.279{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.264{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.248{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.232{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.231{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.230{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.229{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truetrue 23542300x8000000000000000674043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.227{7B03F3B2-7FC6-609D-FC55-00000000BA01}4988ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truetrue 534500x8000000000000000674042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.210{7B03F3B2-7FC7-609D-0956-00000000BA01}5176C:\Users\ADMINI~1\AppData\Local\Temp\6AF9C314-069D-4590-9A0F-7150A71AA8F1\DismHost.exe 23542300x8000000000000000674041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:53.179{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6D131BFC1E04DC10FB08C1421FF715,SHA256=6FB1FACC28452BD82708E583A3EAB2711125562A28A6278B32E4925C123F8A76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:54.528{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701192B4D71AA00452888BA352F8E71E,SHA256=E78B8F9F3D1B4B8B1AC1947D568E0817BA9075D14158748951B0A64271D24460,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.579{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.579{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.579{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.579{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.579{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.579{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.478{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1EB3C22DBF014F0170823182C87609,SHA256=DA18DAFADD0A6FB2E9A7253564AC156C1E74A5C5EA2A2D9EAD601189A84E9554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:54.229{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=808C125DD8AA4E2813E28240A3B4C65F,SHA256=33913CECAC7053395DAA3DD4375A4E3BEB0042F850864EA513D2A7DEC2D801B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:55.543{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567F7DDADEEB7965BC12D8FBFD6C0498,SHA256=22C05A6F46AE7AA86E15CED4A0912162E1C7BF9C00D5877861A589ACCEAC0539,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:55.595{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA2DCE1660E891DA2493416CF76B2DC,SHA256=879C23F753FD6F46BFAEF164A719782B943F6B53435189BFC2922063680CED58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:55.248{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D905908D0F4E58EC3889F08CB5543D27,SHA256=FBD311C72569F1A16645BACF80CA8EAFDB05E8FE06EA34F10EA48C29CAA231F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:54.674{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52800-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:56.543{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B60B0A407B6303989AD482D443B99E7,SHA256=DBAF89407135B84CA6BBF5515D578724E39605FBBBBD19B64A217669E1EAA606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:56.263{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD38CA38710E220CFFDFA3CBF990066,SHA256=A79CDC7FF7730B1DE51DD925C9B9FAD2385936EB3A09519B2895A04821392586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:56.074{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86145A2ED81B13039289E3C655518DAA,SHA256=B5C6EB22D144B3A94C44167CB902303D9E3595955C9D3C6A526BCD29617FE3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:56.074{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00FC11E605A45373D6CD49211B90F298,SHA256=98D03A0AA41804F50A59F765BA5D69898BC6A581C81E72BDFD05960FD04C8D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:57.590{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=356AF8EAE50FD36DB86A6AC8A85D27BD,SHA256=8B09FAA3A8C6FD9F912205C97C2F08B57403E34AF3A2BEBDECCCCCDBBDE1C8ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:56.424{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51201-false10.0.1.12-8000- 23542300x8000000000000000674200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:57.292{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0858267941BA5672B2FA17422DDA4084,SHA256=27100D9DB60455F0E969F0D29CEF1D2C13E0E7B444781D36FF589CEF4255519B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:57.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87E31002574E6777AA2522F36DC0F5EA,SHA256=156D44A7D3C58BD489D1FA2E78BFFD0FE5D51BBCE4F4068905C299F01031EF2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:58.621{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF78DD2DADF4F03AC1DBF470D3075BF4,SHA256=D1A0310D215A0AE4B06481D389CB94E433221B60E1E6C1982F1AC186B0AF6379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:58.308{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3F7B3C83654B4569C0E137C576ECEB,SHA256=8785F9232EF6A9E67E70A7D47BC8A431C406DA5AD5C0E1B65BD15A60A0961A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:59.652{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B9E9396042BCEAB6B32DF9B77452CD,SHA256=ECAD54390EF9D0BD3F9672B9A995747E0FFE7DA50C3444C46B1F39E04220C3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:37:59.323{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B0256731B6F6D449C21C4DFA4CE8A,SHA256=50146DE9A120C73ECBD2678B2390278E9060A3A4499F973791CC6FB7B3C5B05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:00.668{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284FD8663B185AD07D873AAC71CD2999,SHA256=01C6A3AAF6FC9D2A269E8E5E5D36420DC1F8D10B41572D5B9A07F8529009294F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:00.343{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CDF6922ABA654FD3EF3D6A81EA39D2B,SHA256=491A167F4DD6AB278EBE5D2AF48295EF65F146CDA8189EA9E80BAC36373CA832,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:37:59.784{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52801-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:01.684{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2914DE0FBED7CCB4FDC53A2557AE8DD5,SHA256=4BC8FD2F0F6D6A1F9AF1AD43A95B876A4D48331726DBA12E98EC48074B1F0FA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:00.637{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54280- 23542300x8000000000000000674206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:01.404{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADF83766F83A2B7BAEFE1039BC22A595,SHA256=844A36AF2C155AA8CC86962A7DA6F5F3342E7A2DD02992BB8EFBB3B098CB3666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:01.388{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965C290A34C12E6BABF411107DC5E47D,SHA256=19ADC0CF490C37203C99FEDA7E00E009CA134DBF2631CA300D9B907284156582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:01.168{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A386C98655815DB718EDDB03838BCD,SHA256=9738C229F524107989D1136F9C46CCFC0106D54C23E8FEC24B2CC6C451D65C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:01.168{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86145A2ED81B13039289E3C655518DAA,SHA256=B5C6EB22D144B3A94C44167CB902303D9E3595955C9D3C6A526BCD29617FE3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:02.684{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAFB5CAF16F530E64397DC666C53D360,SHA256=EB077F432F5FAE59043092E327A346E517D6E76C146BA30A1396EFC4DB6392E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:02.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C17D2FECEC2FC6E17ED714B307F3CD0,SHA256=C9471C1A12F994937E9C11E46BBCC9C1A3BA50F3A70F463602064906C1F6063E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:02.390{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D33A6DC85B3CA4AC3E024DA8D45B2E,SHA256=3CD0A0D6734EC034E697203AB30457D577849BB5D5F1C3B90602A00175760BCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:03.715{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE7F62E3BDCA6DB61A11231A7C8F7BD,SHA256=07EABF50C86C2BAAA94164D635A68D09E49589EE756B40E7A755238000A99A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:03.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97A372EFB35D6EF4AEAB92A05072C5E,SHA256=76433342B969C7E0FDF02767722D0AE4684A8AEFAD1B91F9F76F2E809E869AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:04.746{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03A101EC2B91B7692B539C4F3C2D2D9A,SHA256=24C57A5A42A7C1D023E647503CB5F1B77002D8D31BFA4C7778073794F2CBFEC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:02.351{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51202-false10.0.1.12-8000- 23542300x8000000000000000674211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:04.490{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C3E183628C9B3E57C172E9641785D9F,SHA256=1BECAFA2EA90E1ED8F069CE2C3D6EC7FCCF4B941CF7B3BA74877AAF69D76E684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:05.840{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25820265437464F77EC7CC249BD97A9E,SHA256=E521A363F78C6FA8628433BD0A2ECDA845CDA1E29D8D16D51CC7236E079CA640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:05.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA1B4BFACC91DFE9E4AF5121A559255,SHA256=7C83E94C1A0153C0FFA05AAEB01E3B437AA62DBD3B8D943779F24E7FF939D40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:06.861{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F72F36673F6175818B76D799E389E4,SHA256=D189DB13BB0D82E5D397A5CE02F03852ACE3D4D17F7D913DCDC85BE6DFDC0381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:06.559{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=014A51794A2E5F022129EB1D29824D07,SHA256=8E4D7766B34268CDB488F4CF4EBC61A470478E8F1C2C6A25B3F8D32BD2A7000F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:06.199{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DAEFB6C9ED33DEFC448A99069CD56AA,SHA256=D793D24F8E219D86D5EB4C86EA6A9724639AB45044A9C261A6CEEA8943E59C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:06.199{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95A386C98655815DB718EDDB03838BCD,SHA256=9738C229F524107989D1136F9C46CCFC0106D54C23E8FEC24B2CC6C451D65C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:07.876{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B99494ED1D47563E29B093B66DDECFD,SHA256=F9F989B96D5C21D8AA53FF3BA8A60690A3D0BF7569A423F8D3AE3C5FD2DE665A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:07.590{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75F96F651DB8E160A7B5C2C8651FAFC,SHA256=F63B731E02A411813675CF3002A83A9EF7BA8E6CB41960A20386623223FACFC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:04.816{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52802-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000674216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:07.443{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10B8430D36DA5139C2E81B049BD93BE6,SHA256=7866460230DB8CFE730B454872DD996EA4A3043FE3D57BB711CD828EE121C098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:07.443{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B29638ED3A7C5FDC63739BC70C861B27,SHA256=98693969B582860BCAF93237364501F03BA0C0D2C66AC1A6EA54058117639D8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:08.609{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F7E574E705A80AC94639F117784042,SHA256=D0D58EC20B04221A1A12810F3BB700DA7DD15A936A33A5ACDDEF449CF7A35D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:09.626{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256DFE819EE6E897A0F01FD3203D9473,SHA256=FA014C43186CDC14A2A61AC3C3DD2255194B9AFBB35B5D370342BBF8A1934C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:09.501{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=47E05BE410A9112BF5788F613D1A1351,SHA256=7820A2B958B9CCF1442A938B46989CCBE7F7F160FAA45D1BC8D098AAC702A377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:09.001{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9F690C495DD551B0FBBBA6D9FF297E,SHA256=09EB2B4DA9019ED6C862DEC2DB1DB62200D1612D445C1526986D662878560A04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:07.405{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51203-false10.0.1.12-8000- 23542300x8000000000000000674221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:10.697{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8FA6A30F9B1A30F3043CDC7E88B4B5,SHA256=7B38623D892410E399FC83BDA8A6D49885B1B84E3E2E099B9A48B02DD6FF8457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:10.048{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC5FFCDFBC203BDE0CC558FA3EFAEF11,SHA256=EF565BD5309EDA4359BA7FE7E645246E15609FBA60F39EA53B6DB09CF522D2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:11.712{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F69C065AC14A82F1193B4D3CB7209A,SHA256=AB817ED4E0B7D1270CACB6FFE3FF015012865FFB2E25BA3B3F7700E778591EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:11.064{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF191663C267F97D53C9E0ED1D47B04,SHA256=843E8145F8CF05904FEA68013DBF2B8447D5314A6E57156DF4A1C17300C3CB85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:12.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF8304BD6ACD5A102BD8BC0DFF073955,SHA256=E0C8A32988C378FB6614BF332E1AF32E7E2941B6DFA5A940B4F4D9CE78F6F6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:12.126{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D6D89CD520F152A4CD98B2F383FF5A,SHA256=30549C7AB739828F29EA993FA5BC956734B1F60181154176552945E7C2D2F77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:12.095{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58188E83183D48507B2764546E79AD56,SHA256=70E71E2F76E92902371A74D5971C4752692CA9FFFF398B8664EE5F2AF47FBDF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:12.095{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DAEFB6C9ED33DEFC448A99069CD56AA,SHA256=D793D24F8E219D86D5EB4C86EA6A9724639AB45044A9C261A6CEEA8943E59C64,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000674225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:38:13.794{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command\(Default)powershell.exe 23542300x8000000000000000674224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:13.794{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC24F5662C999AE8871B7908FE93D94B,SHA256=4624D63B77B6B0AB109E44CFC1CF8DC5EA5AF061325298B07318509A956C0FBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:10.664{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52803-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:13.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3106ED6E6A62AEADDAB89E9769A70EE,SHA256=DFCBF2F00438758D5D87AACBCC48A6E3B089099332F438BB09114BE97FBAD698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:14.831{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=73E4D9B106EBA6B4438D7E7105E382BD,SHA256=C3929A06EF6E3ED21F950559314827281ED1DCD80CAFDCD520F368D1776E9E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:14.809{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8976352F64A3B388B9DB3107FFA443,SHA256=7C7295C1BD87EDD7005D7CF111D5D6311CF87E6382B63EDE0A95A3DEE15F3B83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:14.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE2EA55180373201ED5FA279CA4A20C,SHA256=0C8F2C6AA76B05E5643022FD65725152A416133353404035D3445EC3C1781887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:14.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DEDA6709326AF0EBEC05F6987D3A336,SHA256=2938C62960132C014F68A90083CE019BAE9A5D9ED45FDF04ABDCF1405D579386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:14.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10B8430D36DA5139C2E81B049BD93BE6,SHA256=7866460230DB8CFE730B454872DD996EA4A3043FE3D57BB711CD828EE121C098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:15.828{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70F2BD05481E6D6E1C0AFDE3D0CF206,SHA256=8F98047A91548E31AABAADD29230ADDBA592519054A2502AB3475A4A76616E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:15.204{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BF87B0A1097F6A4812E465AAB513BF,SHA256=5CC39ED5F9BDD02D9F1BC0F050C4709D87976E0ACF9A5D85BD9DA5959124B564,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:13.393{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51204-false10.0.1.12-8000- 23542300x8000000000000000674235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:16.845{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1111038BB5EF7430FDD244B57DADFA31,SHA256=B630188642C34B14D023EEA91CEBF26C3B69212C5E1B7B1C73B03F1C355C7C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:16.220{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D5391B5FBD7566FDC33FC9343EC8D0,SHA256=CE2AE1935AD8A8CFC430A01A060BEA90C919759DF43B94C760C1357C2B845521,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000674234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:16.826{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell 12241200x8000000000000000674233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:16.826{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open 12241200x8000000000000000674232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:16.826{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command 23542300x8000000000000000674237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:17.846{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A17B08876ACE191242DD9199EF304225,SHA256=B873D8BC49D69BE31FB0303D8B26A5D5C8B864E6DAE2E310C6E1BC344A3564AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:17.846{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C7E11D80205DA40472A7B8EB20E64A,SHA256=4301B947849913365962A5F1694AF5343E102A151CC70A2C17D07E7DB22457A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:15.710{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52804-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:17.314{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6813BEC3DF4581757DE025AF0E5020D9,SHA256=91090E2FADDAE0C8CBF77E599EB112AF26E7AEFE2DD8B6883587D57F42814934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:17.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B80334ACB1B6EA452D03C0F7920DC8B,SHA256=5AADAE8DF787A9B355092CB16EB0E88FB03FA3E6E6F29D28DA7F607B4EC69704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:17.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58188E83183D48507B2764546E79AD56,SHA256=70E71E2F76E92902371A74D5971C4752692CA9FFFF398B8664EE5F2AF47FBDF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-326C-609C-882D-00000000BA01}69846960C:\Windows\system32\conhost.exe{7B03F3B2-802A-609D-2356-00000000BA01}6712C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-802A-609D-2356-00000000BA01}6712C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.908{7B03F3B2-802A-609D-2256-00000000BA01}81687884C:\Windows\system32\cmd.exe{7B03F3B2-802A-609D-2356-00000000BA01}6712C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.907{7B03F3B2-802A-609D-2356-00000000BA01}6712C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg save HKLM\sam C:\Users\ADMINI~1\AppData\Local\Temp\sam C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %temp%\sam & reg save HKLM\system %temp%\system & reg save HKLM\security %temp%\security" 10341000x8000000000000000674265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-326C-609C-882D-00000000BA01}69846960C:\Windows\system32\conhost.exe{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-326C-609C-872D-00000000BA01}68926228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+381f60|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01f5|UNKNOWN(00007FFD2CBDC0E3) 10341000x8000000000000000674263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.892{7B03F3B2-326C-609C-872D-00000000BA01}68926228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcedc1a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edceda81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edd76bb2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edce5d07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee7c58c9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcab2af|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edd0ed21|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0bc1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edce18e1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edd1df84 154100x8000000000000000674257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.887{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %%temp%%\sam & reg save HKLM\system %%temp%%\system & reg save HKLM\security %%temp%%\security" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x8000000000000000674256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.877{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2021-05-13 19:38:18.877 11241100x8000000000000000674255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.877{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2021-05-13 19:38:18.877 23542300x8000000000000000674254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.861{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0A0A797DECDC6C4BC834087A6AE140F,SHA256=04E24F6076E74F931D6087F3D0BC0E84409960BADA1B40C694997D729E7C64E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:18.361{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63B92454156946E6E05B25C170030C1,SHA256=535E9A8EEFE64BA55FDC284DA90DAEB8BEF4D9A11E844567E37C23FA0AFFAEE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-326C-609C-882D-00000000BA01}69846960C:\Windows\system32\conhost.exe{7B03F3B2-802A-609D-2156-00000000BA01}5616C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-802A-609D-2156-00000000BA01}5616C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-326C-609C-872D-00000000BA01}68926228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7B03F3B2-802A-609D-2156-00000000BA01}5616C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee87a5e9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee702|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee33d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee7c59ab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcab2af|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edd0ed21|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0bc1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edce18e1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edceee23|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee995|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee702|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee33d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee7c59ab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcab2af 154100x8000000000000000674246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.745{7B03F3B2-802A-609D-2156-00000000BA01}5616C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000674245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.726{7B03F3B2-326C-609C-882D-00000000BA01}69846960C:\Windows\system32\conhost.exe{7B03F3B2-802A-609D-2056-00000000BA01}3016C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.708{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.708{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.708{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.708{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.708{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-802A-609D-2056-00000000BA01}3016C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.708{7B03F3B2-326C-609C-872D-00000000BA01}68926228C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7B03F3B2-802A-609D-2056-00000000BA01}3016C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee87a5e9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee702|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee33d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee7c59ab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcab2af|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edd0ed21|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0d30|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcf0bc1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edce18e1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edceee23|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee995|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee702|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcee33d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+ee7c59ab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+edcab2af 154100x8000000000000000674238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.715{7B03F3B2-802A-609D-2056-00000000BA01}3016C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000674277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:19.963{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B08F8D9E2E94FBC799A35CB4A350E7B,SHA256=E12A75B6DFA28B9D9B9B303B0F0B91D1DE91260AAC81F9994B81783E27CEADD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:19.963{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9268D7381F0DA76ABBABBCAABA787D9A,SHA256=B83195792E318AFF1316BE0E656DA655416850DEEB33BEC96E18E3DA39E0BE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:19.423{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA534A775E3B42453D0FB5B6668E8F2,SHA256=1D74589BEC1A181D4A661D707347C355EFAB32919D97E2939AB4C0363A4D8E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:19.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F13DDE461FB4C80AC2D696029AC5467,SHA256=144672AAAC70213877B199F116B1DEFD1AB8E94424BC49BEDD72A38CD6932AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:19.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DEDA6709326AF0EBEC05F6987D3A336,SHA256=2938C62960132C014F68A90083CE019BAE9A5D9ED45FDF04ABDCF1405D579386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.993{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990FA3C5B4699B823D4E88BD5DA6A509,SHA256=83B99914B2A7F94E99A25FF269631BBCAE222B810C1A38401D786FDADE3047B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:20.470{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F171FB202EF89CB7D840F4E480D6C42E,SHA256=A863C630F44AABCA62E56E3D0804B31A422D0A3A00F8A5A1E80F441AD5885425,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-326C-609C-882D-00000000BA01}69846960C:\Windows\system32\conhost.exe{7B03F3B2-802C-609D-2456-00000000BA01}5184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-802C-609D-2456-00000000BA01}5184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.709{7B03F3B2-802A-609D-2256-00000000BA01}81687884C:\Windows\system32\cmd.exe{7B03F3B2-802C-609D-2456-00000000BA01}5184C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:20.718{7B03F3B2-802C-609D-2456-00000000BA01}5184C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg save HKLM\system C:\Users\ADMINI~1\AppData\Local\Temp\system C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %temp%\sam & reg save HKLM\system %temp%\system & reg save HKLM\security %temp%\security" 354300x8000000000000000674278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:18.453{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51205-false10.0.1.12-8000- 23542300x8000000000000000572901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:21.470{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B75FA01B56EFA5F67008A945ADC65AA,SHA256=8704317D2B7559BB2BDCDD8F1DBFD1CE97B9556F8D6D7E13C57838AE17758F69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.728{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F13DDE461FB4C80AC2D696029AC5467,SHA256=144672AAAC70213877B199F116B1DEFD1AB8E94424BC49BEDD72A38CD6932AE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:22.485{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FE683E6896E56AA10CD2BB7FF49E094,SHA256=0F87F6F74B24D89E373AD11C41DE2BB7D2E0C4CC8185B68847BABA0E5D69B3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:22.992{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C27672BEB12F6CA2BE68627EBEF1D9B,SHA256=9B19CD3ED2874EAD45D62CCABDBF64979D5202441EF4CD06F64BF0A1D18071B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:22.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7280D6C7EAA2F755EF0461EB9BEFC438,SHA256=005EB8F18A7A9D12C9888E9C529A9DDD692469EC7E60503CA861D1A399ED1635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:22.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF563B280CE44149EBC92585B6EA9C0A,SHA256=691BDFD5D87B31388237271720C0116AC6BE0119A8B771B8B5DD320ABF3B2353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:22.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B80334ACB1B6EA452D03C0F7920DC8B,SHA256=5AADAE8DF787A9B355092CB16EB0E88FB03FA3E6E6F29D28DA7F607B4EC69704,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:22.008{7B03F3B2-326C-609C-882D-00000000BA01}69846960C:\Windows\system32\conhost.exe{7B03F3B2-802E-609D-2556-00000000BA01}7084C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.992{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-802E-609D-2556-00000000BA01}7084C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.992{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:21.992{7B03F3B2-802A-609D-2256-00000000BA01}81687884C:\Windows\system32\cmd.exe{7B03F3B2-802E-609D-2556-00000000BA01}7084C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:22.002{7B03F3B2-802E-609D-2556-00000000BA01}7084C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg save HKLM\security C:\Users\ADMINI~1\AppData\Local\Temp\security C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7B03F3B2-802A-609D-2256-00000000BA01}8168C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg save HKLM\sam %temp%\sam & reg save HKLM\system %temp%\system & reg save HKLM\security %temp%\security" 354300x8000000000000000572906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:20.789{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52805-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:23.517{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8E958016568E4ADF791E394E8357DF,SHA256=7940193E4A134081A23C3F788868BE1849F1EAE5075E45DDF54F0BF7B797BE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:23.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A866089B5C491AD0F9901AF60190895,SHA256=6998F96A6ECC200B532545F1B2B682AE53E103366F65D08678DFC6FE1A940278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:23.061{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04C467450477932B60DEA5DA3B6F57A7,SHA256=167BFE59B43CEBFD409696AC39ABAD6EACA6A4B0BE39197029666089A7D52286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:24.548{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7249D523F1451E871283FEF176C79745,SHA256=E34DC904A6729F13B89B9313B8B3B605E2E742A77DDFC1341F650761420207F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:24.259{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B3BCBD74A82EAE2E66C762B93EA7F6,SHA256=658BBF4D4DFA05CA6F36AACF7883072F2C30795DEE214A31D1473D47E8A33AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:24.075{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3CD68EB91CC13ACA4AECAAC27147D1,SHA256=C4C7638C6FA1D70D1F3C5D4C8567BD1502ABFD737C2FFFA20B232A06D736DB7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8031-609D-0451-00000000BB01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8031-609D-0451-00000000BB01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.798{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8031-609D-0451-00000000BB01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.799{E1BD9FC2-8031-609D-0451-00000000BB01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:25.579{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9285BF167DACE13C730A47A54CD35A65,SHA256=0D3647FD28D71354132C54C9630FE9F5A0777A63F166F4C34B67F85FD5D1B32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:25.289{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:23.490{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51206-false10.0.1.12-8000- 23542300x8000000000000000674303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:25.090{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3510750D67E4EC3FF49606699457F798,SHA256=DC5A1D53619303D7723E46D3BAB2AA73666161F6C76F97F785A6AC2265FFB7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.817{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF563B280CE44149EBC92585B6EA9C0A,SHA256=691BDFD5D87B31388237271720C0116AC6BE0119A8B771B8B5DD320ABF3B2353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.676{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E256C54E704E1EA16615D381D61E9DA,SHA256=3DD9D2B0D5566803AE07DAC7AE459DBEBBE3437C96C745CB9134FF85987ADF00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:26.288{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08E537F928012177B9B13D7A913A8927,SHA256=8853C5920C5C9C4B39D42D28CFC0F117BE1F15E29782A64CC8A523A80D1F2E8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:24.489{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51207-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000674307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:24.489{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51207-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000674306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:26.104{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25B50CA8BE3243268B7CC8C87F724D75,SHA256=6AA35130236C0C884C428D51C43D2FA91E10D942D9F579F77020236F046A3D9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.598{E1BD9FC2-8032-609D-0551-00000000BB01}20042420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8032-609D-0551-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8032-609D-0551-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.473{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8032-609D-0551-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.474{E1BD9FC2-8032-609D-0551-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.739{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCE5D76A3200CEE26E4CF2DAD028F86,SHA256=BEEC86B37A82D813278B647BDC4578DF79AC012A5F7E47F93C13A8BD793E7DE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.839{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.839{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.839{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.839{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.839{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.839{7B03F3B2-326C-609C-872D-00000000BA01}68926228Shell.Commands.DiagnWindowsPowerShell\v1.0\powershell.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x8000000000000000674314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.838{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000674313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:38:27.823{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command\(Default)powershell.exe 23542300x8000000000000000674312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.440{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=834C5EDE51B09AE3FB599BC71DF0A50A,SHA256=263D4A620C980A53B8475204A343E1B8954D72C3B60013D5E79086044F994429,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:25.519{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51208-false10.0.1.12-8089- 23542300x8000000000000000674310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:27.121{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FB7380BB692B9A6E0CFD6A9D54B7A1D,SHA256=9C71F593D0F92DAFBA8F5C5BDD89309D4C3DD591BFF1A89BC7DB8F671A212471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8033-609D-0651-00000000BB01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8033-609D-0651-00000000BB01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8033-609D-0651-00000000BB01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:27.145{E1BD9FC2-8033-609D-0651-00000000BB01}2892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000572954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:26.667{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52806-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000572953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:28.785{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7CB03AF0B9E80C71F608AF20F61651D,SHA256=B695AC2933E191589D2A6A3265D438102D7D536BBBC3CDB1110FB80A12E19EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.838{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CAB05C82029917A34D73ABD29857027,SHA256=DDF2509F9A34A697138271CECB16C72EC1C9271E2854E713B5F9514DE9067D30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.811{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1F05B0835470D616A09C7846188F207A,SHA256=DB827FC1FEE91E6B9CF138E4459487093B690D0582F45EC1461F90BDF91153E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}65847740C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+5b44|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+42aa|C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.472{7B03F3B2-8034-609D-2756-00000000BA01}6584ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFa7d4f25.TMPMD5=C1AE46287A9E66A12F8FC34C40EDE6FA,SHA256=D1B92E60683BCD90338239D20643C170D32315106314FAA3351F5107492DC1B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.435{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.404{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.404{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.372{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.372{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.372{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.372{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.372{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.333{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.332{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.332{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.332{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.331{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.331{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.331{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.331{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.295{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.295{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.290{7B03F3B2-8034-609D-2856-00000000BA01}50567272C:\Windows\system32\conhost.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.282{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=445B86FEAA5BEA5171C2CF12649E7641,SHA256=2829EFF253E156B2A25F43FE955926191E430A0276D913CAEDEF643720A58F71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.280{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2D7E11347D8270C2EB13548C2201E08B,SHA256=094CDF22EAE67C4A156602D1E1B8FBEFBD1114FA6DBAED964E2507AE4625D1BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.271{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.257{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.256{7B03F3B2-319D-609C-402D-00000000BA01}22885884C:\Windows\system32\csrss.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.256{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.256{7B03F3B2-8033-609D-2656-00000000BA01}81444708C:\Windows\System32\slui.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000674327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.252{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"PowerShell.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe"C:\Windows\System32\slui.exe" 10341000x8000000000000000674326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.248{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.246{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.205{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52171CF2606A0E66A96E24BFFC7B02D0,SHA256=70A27614AA2DD62D9227047873684890CBA35DDE939CB6C0D1E8EEE77DDD8581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:28.051{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08B232EBA594D7C23B30366D1AFD0516,SHA256=43A096ABC5CE188ACA6711E3D7B8348AE8CFEED373CEBDF47E40D9C6FA6E0FB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.140{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.136{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:28.136{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-8033-609D-2656-00000000BA01}8144C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:29.864{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:29.801{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BB5000421E501241DEEBD7DF385DA5,SHA256=712E5D0144EF10450FF32A2922DF358D724F42EB95CE5DF8E0DE36FCFE059B7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.601{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.601{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.478{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EC90C5945379876194DB5B966A5A68,SHA256=356A0EE752B9C7D719DF87BCB58FBE709A4ABBE156A0936DE7F9EB355148FA20,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000674370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-CreatePipe2021-05-13 19:38:29.460{7B03F3B2-8034-609D-2756-00000000BA01}6584\PSHost.132654083082521639.6584.DefaultAppDomain.powershellC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe 23542300x8000000000000000674369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.433{7B03F3B2-8034-609D-2756-00000000BA01}6584ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_bpcdxyrr.5hi.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.430{7B03F3B2-8034-609D-2756-00000000BA01}6584ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vp2bf0gg.rxd.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000674367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.295{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vp2bf0gg.rxd.ps12021-05-13 19:38:29.295 10341000x8000000000000000674366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.275{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000572958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:30.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6B25A37D6B11CB26D46173C6799D9AE,SHA256=80F919ADACD686047EBFEB688135AA53112C35F29189682461D5B6EA26237ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:30.801{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1671BCFC58F99616BECDB5E99797E4A8,SHA256=FBC17CC0DC710995D71DDDB9AA9A2E19F9330E25C00552A5038249A6437A0F8A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000674386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:30.866{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell 12241200x8000000000000000674385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:30.866{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open 12241200x8000000000000000674384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:30.866{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command 10341000x8000000000000000674383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.767{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.767{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.767{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.767{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.767{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.767{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000674377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:29.276{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51209-false10.0.1.12-8000- 23542300x8000000000000000674376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.299{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1F7EB70407DD2B913AFF94C11A445B2,SHA256=EEEE8698DBC0B2778224E386943BE8D1966AE344FB0AF08A68228D645DB8D2C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.283{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF4272123E8B5FE641FBE77A59A6826F,SHA256=42221E3A7ED22744078BB202072F2E4DAEB61775D3D017721D22F699BCE382A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:30.038{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC01F9ACD6353BA7505AB43514D0D2A1,SHA256=51BC66A08BFC103842DAFFD83A71D8D74FA96E1F6903F2A87444FA0A1DA98062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:31.832{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4930D2DDADB06C5AD5405A4AE9ED1C75,SHA256=8D95C680EC03A66B5C5E9808CC7F3AB3D67C7263D9B3700C58BF80E513640125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:31.899{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=03D31C13CE97EF2E2623065B64AA6BEC,SHA256=BC00F5F0D44BE715225EEE2E440CE1D6BDE31D091602ACB5EC21B5648D8DFBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:31.330{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E679BD89A30759685830666C4ECE1A,SHA256=2EB09726D8CE5C1FF0835349CE07616D04D1D12F6C29639591F522165FE41D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:32.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F582B8355FB7F3FCA43A5A436A119BD,SHA256=85E237F14948CAD244557116BEBFD755577361E1D33EBB820D9B20345CF35E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:32.348{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701AEF24F341EFBB8F86DA1FDD35E92D,SHA256=5622AB4703C9DD6C4FE6A02F8DAC484FF4E8869058EC95BF62CAA4F607E48203,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:29.479{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52807-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000572963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:33.880{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66994CFA7B44E84326A5087A9D4F478,SHA256=09F36DD18562A870723CC5C6490B6D88B46000829519A9E9DB5EAF0AD27D4495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:33.381{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BBAC9A8F0ED609B1D3DD98DD1FFDBAC,SHA256=085BE4D77C06EFF3A80E3FCB2787C9B17702A8C91E1DB7B489573E997BAB1001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:33.177{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A86A0ADC520FB143CC84F1602FB968C,SHA256=223909C28BC52D303503B93A3442BB70E378467874655A9ADE66857CCDC2FB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:34.894{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478A0A19BF6B52F6068BA420AFDC7BF6,SHA256=338C0F4B5F47DD5D504527DE8C36C8922C244FF205A3AF177E5257570D9E2FD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:34.396{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F4645823AEA06D4D2C5F0DA7FDF67FA,SHA256=97A0AB0A65D34AAD86085B36623D8CD8814F2F3C777C34338A159415390D9CF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000572964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:31.776{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52808-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000674433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.417{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C5EC1536EC46CFEE0D93B91637F64,SHA256=2D9893F9D475B249B4B652BFAEF73026834F27C446D7819E6BB5D28B24EE114A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-803B-609D-0851-00000000BB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-803B-609D-0851-00000000BB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.879{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-803B-609D-0851-00000000BB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.880{E1BD9FC2-803B-609D-0851-00000000BB01}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000572979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.332{E1BD9FC2-803B-609D-0751-00000000BB01}963884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-803B-609D-0751-00000000BB01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-803B-609D-0751-00000000BB01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.207{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-803B-609D-0751-00000000BB01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:35.208{E1BD9FC2-803B-609D-0751-00000000BB01}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000674432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.286{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.286{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.286{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18764012C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.271{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.255{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.255{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.255{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=57208C7792B90BF7177D7246C7DF6E03,SHA256=5F5D7FBCB8E2C643C7F6E5646762A8EC3E44DB30AB0564309AC1D215965BA09C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.254{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=445B86FEAA5BEA5171C2CF12649E7641,SHA256=2829EFF253E156B2A25F43FE955926191E430A0276D913CAEDEF643720A58F71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.235{7B03F3B2-803B-609D-2B56-00000000BA01}78086692C:\Windows\system32\conhost.exe{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.203{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-803B-609D-2956-00000000BA01}50923008C:\Windows\System32\slui.exe{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000674407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.193{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe"C:\Windows\System32\slui.exe" 10341000x8000000000000000674406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.188{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.171{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.133{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.133{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.133{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.085{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.085{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.085{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.085{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.085{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.085{7B03F3B2-326C-609C-872D-00000000BA01}68926228Shell.Commands.DiagnWindowsPowerShell\v1.0\powershell.exe{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x8000000000000000674395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.083{7B03F3B2-803B-609D-2956-00000000BA01}5092C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000674394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:38:35.070{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command\(Default)cmd.exe 23542300x8000000000000000674393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.053{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65CC84D8A7BF46808D3E68547F4F541E,SHA256=A6AFA226974EF17391023488BDB381AA5F00EA65645EA98EF68F309F2F0FED22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:35.051{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC5790EE18C5C64A5580311C3239FEB3,SHA256=684F0658B744147771B8B8E241E3412ABAD42E8B7449A4250AC90167E55F23C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.433{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431E5ED8AA0381E2B3CBC3D42F9907F8,SHA256=BDF05290D7239103B50292D82FCE4005F042E39AB6EE98DB7D830544A02B81DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.676{E1BD9FC2-803C-609D-0951-00000000BB01}676616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-803C-609D-0951-00000000BB01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000572998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-803C-609D-0951-00000000BB01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000572997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.551{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-803C-609D-0951-00000000BB01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000572996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.552{E1BD9FC2-803C-609D-0951-00000000BB01}676C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000572995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.223{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3CECD70B03457EE62144630327D63D6,SHA256=6C5E727D43C03DA3FB80CD95CC4B03DCBF94911943C3D712F91011D5B41D73CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000572994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.129{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1485FA513AB08CFDCF4C52BCDFD87950,SHA256=2990CF88F1DF5E7FA5FE75AF1F04B0F2EF4C15DEA88E51F94243A6AD0B2942ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000572993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.004{E1BD9FC2-803B-609D-0851-00000000BB01}3521588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.385{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.385{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000674436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:34.288{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51210-false10.0.1.12-8000- 23542300x8000000000000000674435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65CC84D8A7BF46808D3E68547F4F541E,SHA256=A6AFA226974EF17391023488BDB381AA5F00EA65645EA98EF68F309F2F0FED22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:36.070{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=20F806175616F31A56B885300681960E,SHA256=20F88B1B362E7C9FAB8D979A017CEF27273CCFE662422936F8B8A02C09827D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:37.449{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4218454DAFCA79A5BF8CBDEDCFB3035,SHA256=136579C088B2AB562ADDDC410E0331CE434A56A4C685BED8BEBA5F6217D7F806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.551{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84BF15AA017AD469F1B1500A81C61E66,SHA256=27D0D60E8C20B857DB52B420CE71AF979BEE873FC7323B1C4FCB11C30ED4C777,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-803D-609D-0A51-00000000BB01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-803D-609D-0A51-00000000BB01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.223{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-803D-609D-0A51-00000000BB01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.224{E1BD9FC2-803D-609D-0A51-00000000BB01}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:37.004{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6FB4E89266DEEA724B0E27873FA548,SHA256=CC287E694BF3E1383EDA8A3B113590E2721BEA1F6D2B666563E59D0B51703388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:38.471{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D65432F9C4ACF85EEC7DB819A5B81E5,SHA256=81F30B2F09371A44436CD90DC2B7D10BABAC6D01BB7E72B80A74EE1AD9E457EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:38.020{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB98FD206040CD4DC0DB0D0BB1B7965,SHA256=49E33461422F0CC69A80BD1E8FB0357BDBD2B8FA5E08B8133119BFEB4D36E513,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:38.418{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DFC4618FFF7A15173B19158EAAE72C94,SHA256=C32B4744A630C367EC93B5B26CFE0331296D412147342C055CD3CD842A354615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:39.953{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000674449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:39.951{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:39.951{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa7d7c02.TMPMD5=36DBBADA813EDB200C2B5A8128054E48,SHA256=F4E0DB2CD90C5DD2683AE772A460616D1F0DB8B7E1C978F725E37B250DA33754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:39.485{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32EDC66313BA2A71846C04F655039773,SHA256=4A8A20115A9C1E518549165DDD37CBADCE5F374C0193CDD78E196099F3FAC438,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:36.792{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52809-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:39.067{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1C2FBC6DB9950ECBB8BC6B7F3BAABF,SHA256=748A2C46C4148E7B07B4DF27FEB8037493C6DCF4CBC5C0982239D9FB99578A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:40.499{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E691C5D16330C45D1F716CB5119BF93,SHA256=122E217BD17A8D345D841419A180502CB872029233B8A387137330D475DE9BBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:40.098{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A19534BD849D16D3953275E07E21C2,SHA256=ED50A98F762D04D6AB77D68155B2CA4D0419D84FB65E6A7825C186ED02DFDB6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:39.315{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51211-false10.0.1.12-8000- 23542300x8000000000000000674451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:40.115{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20968F9D6CF6EEF2562EDADCE5E76FC4,SHA256=308CDA4267ED1545778D54C3EB90CDD0F6EEFBD849E29671976A95C01198BBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:41.515{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C803C18AED22FC249DA99E3C59B0CDD8,SHA256=3C4EF5E727C4F00DFFE1B2157BF1135A05670E4714C18C2A2667C7D7CC22C658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:41.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A04C57E6FD0F651B305E22867E9D90,SHA256=89FBA2D347A84937E55F751B0F6B73DA54D64A7143CB7699E53B0BC6E7DD359B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:42.548{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E996A2323305D692A36FA22AC899675,SHA256=D111A5BF1AC92EC53512FE8170E9FD02E4D451130953E8B10EDA664C0CBA30C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:42.129{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A1D0184D87C78ED7AF4B54C7901760,SHA256=2C03A5D0B183ED13BD5906CB706C2F97C97171E97BFF181B4F55DB52CB30F43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:42.449{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=097F8C68E9677E634779A9A0F7539C76,SHA256=F6C2CE00384A9F516C6C6A5C27D91E4BF634CDC1C2FDCAC68DECDB24999B028C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:43.566{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59D9FC176335C6E6297F92181FE459C7,SHA256=9DF600F52FC525F7CA082837007371FCA08C156BD477CC4F895F469EDD3C6617,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:41.870{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52810-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:43.270{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79B12BF72496897BE64FD5831ED3F530,SHA256=FF8EFCA87AE79D4087AAAF1B458D9A9E706D090A3518BB972EE0A8F75838068C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:43.270{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BEEA736DFFCB435803C52D707A7F8E7,SHA256=6B647AEB9F97F58C474096DB30722920A218FA07BC9FAFD47F45DE44C59B6357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:43.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634E279F2FACD3AE884712DB319489D4,SHA256=40174E54B557E191EB0A521AD1C50D53E8E96E047CAA4CFFB3390D1B2D312E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:44.581{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C944DB9A452560F8069EC4200ECE4C,SHA256=E8D5F04BE03C0A601A08A09AD6445AADD47896A0E13799DA455AF720837496FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:44.161{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F665FA3733286E7A47E7157018D6EFA,SHA256=0D3063383393F3D211441BD7FE7247648D593C2EAFD8FF9975B4E49D11BA71E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:44.528{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=02E64764FAA178186F82B2E366FF79B5,SHA256=4C183238CA7FB10306DD62D155B4126C332F99450ED6D199F0F11B67AD306D5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8045-609D-2D56-00000000BA01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8045-609D-2D56-00000000BA01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8045-609D-2D56-00000000BA01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.727{7B03F3B2-8045-609D-2D56-00000000BA01}2876C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000674470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:44.343{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51212-false10.0.1.12-8000- 23542300x8000000000000000674469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.596{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256EC01D95AA4FF4B5772C607C146080,SHA256=A2188B9D878717EFB3B7B44DD9C5F0D701164663A26759D7D8B4BF33261B21F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:45.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644B51B7B2F3BB22A5718134A3E74BA5,SHA256=BFB41C4A0D672477853FF7D3DE5929CBAD5E1455FEE825F0975997B1D6E67D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.112{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=315263797AD6604025F5E428D17F93B6,SHA256=25214C463E8FF339441C2A59CC41FFFE12FB7011E892D4BA96C18D1D0ABAB2BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8045-609D-2C56-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8045-609D-2C56-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.065{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8045-609D-2C56-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:45.066{7B03F3B2-8045-609D-2C56-00000000BA01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000674489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.648{7B03F3B2-8046-609D-2E56-00000000BA01}19162108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.611{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE01BDACF0E112C662285F5102E42507,SHA256=941CEA557C1C41A6645A249D354BDD5185FFB79570BBE01DAE136DB4CA1ADE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:46.207{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E41C0EFE21BB582CD17C5F83183A26,SHA256=4A27EF8049C754EB35CBB7E68A772B98638979315110930C32784F420F85B719,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8046-609D-2E56-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8046-609D-2E56-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.380{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8046-609D-2E56-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.381{7B03F3B2-8046-609D-2E56-00000000BA01}1916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.311{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0BC509DCC1D2DD532E6AA07566FEBF7,SHA256=00719F61FDADEC3DA2D3214DA3DC39D32D7DEF332A0C74BF9E049FD02C754C05,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8047-609D-3056-00000000BA01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8047-609D-3056-00000000BA01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.910{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8047-609D-3056-00000000BA01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.911{7B03F3B2-8047-609D-3056-00000000BA01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000674503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.391{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-18.attackrange.local138netbios-dgm 354300x8000000000000000674502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:46.391{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-18.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000674501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.626{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C237DC6D307C3421F1677F5A4DA5B8,SHA256=8DF7D958BDF9459EED5014E8F77813453042A133BB22AA5B59B26B5C702F91F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:47.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9B2E4FE474AA856C2D7FC3C7B757536,SHA256=558B326866119F91F2D799F5E9ED0FC894F7636360E0180CFB1D0BD3021AF96C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.495{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-472D-00000000BA01}4204C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4291676493F17128B483E7B0BD9ACF22,SHA256=44153BF9B2C9714442C6B774C4156207A97B50AC9350858AE146C929B2E7D216,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.410{7B03F3B2-8047-609D-2F56-00000000BA01}6847172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8047-609D-2F56-00000000BA01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8047-609D-2F56-00000000BA01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.226{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8047-609D-2F56-00000000BA01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:47.227{7B03F3B2-8047-609D-2F56-00000000BA01}684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:48.647{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63476A3107DBA560DD074DC39417472,SHA256=077CEC33271188C98F6C44E324FB7518085423CFC3380DCA611F13722FFC16F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:48.306{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35ECB3ED56FE445E8098FF6815744C7,SHA256=ADE553318231DBBC8DD779625C110690DABD5CF006708D2D89DEC251ADDC3CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:48.444{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68BC4626C75A82C03AF9DEA1A031300A,SHA256=3CD385BE7B8B6B2B03FB293AA150811565960E8C8E4D460FFAC09E6B720C94CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:48.096{7B03F3B2-8047-609D-3056-00000000BA01}28606088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:49.709{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045038127A82EDFEE7A41DEF4C4AD86E,SHA256=ACBDBE9E79B1B91D5B03F7E7BC644D73607E5C5950D278DD621C3886C8DCC561,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:47.687{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52811-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:49.338{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C9C1A6D4C4DB2A2171CA36C23B307E,SHA256=5F86A5223DF3C5311255A182AA14CEC042C7AD0A0FF794FBD6F1C204EA3E0F1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:49.182{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-D2B7-609A-0100-00000000BB01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000573041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:49.087{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1084066CF52D8CFD742069DC2589F0DE,SHA256=384948597D85283E0F34806B3C2A4726E6FCDDC862AFA09A126D249F1718283A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:49.087{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79B12BF72496897BE64FD5831ED3F530,SHA256=FF8EFCA87AE79D4087AAAF1B458D9A9E706D090A3518BB972EE0A8F75838068C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-804A-609D-3156-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-804A-609D-3156-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.861{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-804A-609D-3156-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.863{7B03F3B2-804A-609D-3156-00000000BA01}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.776{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9A439F480BFB1C6DC12B4ADF13D6EA25,SHA256=6E4492A95E82E71E269C1DEC026B9BA83718F4E3F16E92F261EC7AAB5AB02C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.742{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3A3CE9C4333D7B30DA00D85F03697E,SHA256=0B3BFEA23129B68A4ECB3F833EA1D930E975AD6D561678A15A3A074C308D8D38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:48.817{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52812-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal445microsoft-ds 354300x8000000000000000573048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:48.816{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-681.attackrange.local58476-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal53domain 354300x8000000000000000573047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:48.816{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:f8e0:e2b9:8de5:ffff-58476-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.us-west-2.compute.internal53domain 23542300x8000000000000000573046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:50.370{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138595E31AA92E2807E791217B3845BB,SHA256=097CDC155A74E7784EE1E4C4C01AD4D29149AAF31B34637B95FFE4CEE9DA409E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.208{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=324C5874B9F1892E1476DCA6D9AD2BF7,SHA256=E8848431D4BFA0E58CAE01BAF4459F14987ED72310A0077B2468F4FE67A29012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:50.307{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1084066CF52D8CFD742069DC2589F0DE,SHA256=384948597D85283E0F34806B3C2A4726E6FCDDC862AFA09A126D249F1718283A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:51.416{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4216C33E26831DDB6B0AD4B1130A50D3,SHA256=F4E5F177EA8EB02406EA899176E95F9BB94501CDE99F3553096AC9C6417C75F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.979{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D20D0DDBB5F1C2643B54AC3AF0B204C,SHA256=D57472FF90224331563E838BAE5F2EEAC0B5DE27CDD0199F2250B6D046E88F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.979{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E6DA6362FF0BFFDC14C0B0E854EF6342,SHA256=569AA4D59E244ED90E3C0BD90F4698417AE32626E363625ADDE3EAB418816AED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.779{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.748{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.748{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.664{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.648{7B03F3B2-D0C8-609A-0B00-00000000BA01}6323024C:\Windows\system32\lsass.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.643{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.642{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.641{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000674546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:49.436{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52812-false10.0.1.14win-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000674545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:49.434{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58476- 10341000x8000000000000000674544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.591{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.591{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.591{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.591{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.591{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.591{7B03F3B2-326C-609C-872D-00000000BA01}68926228Shell.Commands.DiagnWindowsPowerShell\v1.0\powershell.exe{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x8000000000000000674538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.592{7B03F3B2-804B-609D-3356-00000000BA01}7916C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000674537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:38:51.576{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command\(Default)f 12241200x8000000000000000674536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042DeleteKey2021-05-13 19:38:51.560{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\exefile\shell\open\command 10341000x8000000000000000674535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-804B-609D-3256-00000000BA01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-804B-609D-3256-00000000BA01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.523{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-804B-609D-3256-00000000BA01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.524{7B03F3B2-804B-609D-3256-00000000BA01}1976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000674527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:51.092{7B03F3B2-804A-609D-3156-00000000BA01}67045980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.910{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ED7E9867E592C69AC833F920D16228C,SHA256=C31A7477142FB2043CC8DBDD0E36406BFF9E1FB279817237E848695DDDC29763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.764{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809B17E49A7804759443FD2540EAFABB,SHA256=0D71915B2806C77F33BA008F7893B62E78E64AF7770D60CFD520C3DBA4F3AAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:52.463{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9589B5A793697DC5199B68B49236B5C3,SHA256=14BF5DD5A54EED979F61C141D1DC3748D91E3FE0EB1284A610FF4972FCAA8659,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:50.385{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51213-false10.0.1.12-8000- 23542300x8000000000000000674575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.595{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5CE0AB6F59FA948CC03D2E81BAB4C0E,SHA256=18838275B844CC5A0C722FC56703F4AE93536EFEFFC55791C1B48648BE9BBA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.343{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF3E659EE9372BDAD62A00A911C1D381,SHA256=774103E2BB48307A95B1920C928417A5A556971F463F120D7395E2D69EE0D55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.342{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=57208C7792B90BF7177D7246C7DF6E03,SHA256=5F5D7FBCB8E2C643C7F6E5646762A8EC3E44DB30AB0564309AC1D215965BA09C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.326{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.326{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.326{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.326{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.326{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:52.326{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:53.778{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F78FF3185403E3D6C81AF602481CD8,SHA256=F5DCBAA9D4F6EB7C5FE33A5DB6655C69F3CF1EC05A02D83DDACB7C18C8E1C59A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:53.479{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1AF584727056D9004EF5E7C059F524,SHA256=AA6B808A78B448D6289C7E43D9FAEB2009BDB01D41DD95E938850A4FC7BEE9C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:53.578{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D9E350DA6225C3E4393F60488140BB1E,SHA256=915283693307674B041EF3ACE69EA169CF8FE5E44A3D62B41ADD50F4114E480E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:54.792{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED437EF7210D10B72F3431B508C2F0D,SHA256=1F98C1BB88D5D24C389B1B47BAA754B01F5665181D532D4B3349479C511311AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:54.541{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0784828115B0313D33FFCB1D3DE7152D,SHA256=A41DEA1DCAD41EA84A01A3F17FFBF19F15FED073F883BC65D99667A81CD24BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:54.354{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD70168FDA2FD5E20B05EDE328871F16,SHA256=29DD43CA8621A69D5ACBB40966C8C2AD13EA27CE64F3DA5FB399B1AEB6EE83CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.792{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0718E9F1DA98D572C5A360060D6A772,SHA256=757A6C3E41FF80A21CBB71B137AEB4CD23F7A8206B8BA9841562354AE9FBDC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:55.666{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6ECD9A453D794A981581D2960C1AC8,SHA256=500E3CD428F7DD3EFD60410E1D43CF200D61468FA1418D083E557099435ECB60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.276{7B03F3B2-804F-609D-3456-00000000BA01}44326904C:\Windows\system32\wbem\wmiprvse.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\combase.dll+24fe2|C:\Windows\System32\combase.dll+25d0e|C:\Windows\System32\combase.dll+25b1f|C:\Windows\System32\combase.dll+58e58|C:\Windows\System32\combase.dll+58a70|C:\Windows\System32\combase.dll+65aa7|C:\Windows\System32\combase.dll+c2064|C:\Windows\System32\combase.dll+62ae1|C:\Windows\System32\combase.dll+642c0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000674586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.107{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CA4F63BCFAA81782D164137797F2D22A,SHA256=1782B2D5777CF9B2B071C05CC733CF9FD7050AC438D40FCD34990D086180A9C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.091{7B03F3B2-D0CA-609A-1600-00000000BA01}13043836C:\Windows\system32\svchost.exe{7B03F3B2-804F-609D-3456-00000000BA01}4432C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.076{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-804F-609D-3456-00000000BA01}4432C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.045{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-804F-609D-3456-00000000BA01}4432C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.045{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-804F-609D-3456-00000000BA01}4432C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:56.713{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23E0DC2E0D96380ECCD53C2E6CCF854,SHA256=636895CDEC9084674C16F0B681F42F5CA138FF9AB39D84137EDF63EBD7E17BA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:56.807{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9F89E3908BFDFDD7CBD7B2E439F282,SHA256=27CD349E4235ED8E8C5C95ADC37000C988B81491C546FD88FC8D44B53EF3BA68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:56.023{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAFB9C5506C98A792C7050081C00446B,SHA256=DD65BA784638D8F12CCC2AD40373267F7A78DF448A864B29C3FDAC0EE76F2EAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:52.751{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52813-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:57.729{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4235186A959F6B7768440AB713BF95F5,SHA256=8324EE72714639600B32107695692665AEF635CF32661B309F368B7DEB780377,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:55.484{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51214-false10.0.1.12-8000- 23542300x8000000000000000674594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:57.809{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90ECAE4CF1D53853891966DD9D8A6247,SHA256=E436D28BA8F437D5F7407264F57F4CDB2DA69ABD57FD1522B17D6CD24E020AB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:57.494{7B03F3B2-8012-609D-1F56-00000000BA01}6240NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics\energy-trace.etlMD5=910E7E5B5E0569E55AFD917DA8303E2B,SHA256=68BE231644034EDAF05024AF4BE79187CBF702FCECFB1686D02C761607555414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:57.344{7B03F3B2-8012-609D-1F56-00000000BA01}6240NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=15F2D97D4CC84928F7B1C451696E46CC,SHA256=681ED90C97CC621F8D31C36C594202838DA4C282F9FB850E53C28AA024ACCF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:57.342{7B03F3B2-8012-609D-1F56-00000000BA01}6240NT AUTHORITY\SYSTEMC:\Windows\system32\taskhostw.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\IDR_XML_DEFAULT_TRANSFORM[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:58.909{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130E5C1EC668A0D5968546CBD45D4B86,SHA256=1D507EB6739B433E0E35A28D9B75FC7A3D6FA7889F34A2C21F65971A1BAC8432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:58.760{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C646AE1559BDF41A0455B25CDBE8E2,SHA256=A367ACDC75A31F32261A204B53E934F94FA4C2FD6677F680FCBA7F81DDC3B1A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:58.343{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56129FC4B580402A298A7AA1FD719869,SHA256=20334E4E55E77E54E66191D43926612482055D465073B80948A15150272E14F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:38:59.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58606CCE7D7BB33DB4B5734755B00E39,SHA256=8B189569DC09B14CD69CB2EEE07651A96D6236EEFB3FF3AF7191C96F6CB1C4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:59.791{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C143C7D3C775C038225E03FB3D82DA4,SHA256=FA14A66EEEB4DDB705A674F24E82DFD75EC76F1A790C01632FEB39CA392A05DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:59.260{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D80771F3344EA4E97BED73B5FD1ADA2,SHA256=65D4174F8A195F76E632622C71271EC40A923CD4507782E8AB3281811B0950B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:00.976{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54463E4AF7A5CDBA69853477CE485332,SHA256=1DF02F048432F981ECD98C20DF9CBE342E4B85BD2E64281315773E63C2497214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:00.807{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C35397EA2F234B80658AD350E01F2C,SHA256=A6490CF697DDCF36A304416DF910AA06D713AE3A283620EA769F211EE7DEFB65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:00.960{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7B6C5FE8407582478D26B29D2FC625B,SHA256=93A8B95350103A84A49AE5F9C774C948C0B4E1B0438A5EA6CDAA73598D28CA0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:38:57.876{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52814-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:01.807{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D21C2C8230A439AC804CA1EDAAEF7D0,SHA256=EAD1D24D18023AD8F6A5A0F0B4CEE86A2272ED012D4300C3AA006D8A43FD0AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:01.991{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FFB8B319816CE6BAAFC8CB85AC70DB,SHA256=05829279C920F0ADDD0154222D17CDC9E72674ECA2C06DC72207C640600CD164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:02.807{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E22687975B7BED6B9E1CEA8E69D8D96C,SHA256=67A9CFE1CEB7B1D48C7B5FC5756D38D87D7211E7C38F7D61C353DCDA012367A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:02.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=135841F248B083211676C8DB0952DCA6,SHA256=BF2B1B390A7954E12D2193F427EA759FDC04D9609E7FAC99A14C2B046C15BF21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:01.422{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51215-false10.0.1.12-8000- 23542300x8000000000000000674602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:02.177{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF64A34A82F45BB56A00438B5432E693,SHA256=DE7F99D50A26253D9B51F77F78F5B8B1AD9DACF05B95A677C1F86F06AB0E8031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:03.854{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC7F14E5809684B7A66DE32BCA7CDF22,SHA256=2CC33442D47280D6EA9B983EDE895B72472DF8D9281D2F0DC2CE45DFF919553D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:03.008{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89A49F5E5298C25D916A3AC0231EDC7,SHA256=69E660B40AB883E3C60A2443819C28A35DE217E7B50B64CD8520D5688F044511,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:04.885{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DD194F5D8124B069A484E38C5A6EC03,SHA256=582BEAB8528F3B84AAD8598995E4E13D5CA6AEE7DC3F82201C887008E26D09F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:04.026{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811FF05C367A80C32AAA6647B0AC56F1,SHA256=A44F7C1E5478326B8FF3838589225D2B7A6566F723E525E8FF8E4A2463DFD38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:05.885{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3108F60B89CAA3BEE5B75F999F9C3EFE,SHA256=A5C837DDD5ED0B6C6B9AB13B957D01DD0D7AD673A66D456130D05578BDC0759D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:05.062{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEEA0C6252B8C9BD69FF3AC1A6B1D36,SHA256=274899432BF4B3289BF7356069DA0A1B7485147DE4FD160A070594799CABB04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:05.135{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB649B447E1B964415EA715B1ABCD00,SHA256=6995B93E2DC1C3A260772277EE8C9C05C2C6846B5035BD71184EE96F664E649B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:05.135{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E05001F8A2485BBE5879D263C1C36951,SHA256=1F8EFA5052DF75FE966D4BD09D533D63AFA219E701600BF81DAEF62B25B4CA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:06.899{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F582DBEB8728E219F1D2892E4FBD8F,SHA256=4BC3761C5F26E65910BB88BBDF37E31D3483A59F4532B21018DCF1E5061DDEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:06.077{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69AD82DE4DB4CE83AB22345C6456B70,SHA256=D3D25D7B40AE3F72C49B409128E5769B4DFAD69F27C18277E423FDE0A3CB73F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:03.719{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52815-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:07.914{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3B731DB2AA03BCEF61B4EB9651DC01,SHA256=2CF2AAA8F281A2B363FBBDE9F95768A7B14D7E5D6B51621BE17E569C761021DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876B485A91832780E8EA08743AAFB8A5,SHA256=8B7D8A6993C2EB4D91A8646000A71398BB407406F96C6E04151FF23F3900F686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC228E3F320F3B30138612C3D2B12F48,SHA256=73020F57C9E0A666B122D3E7D6BA726DA2E550D62383730C773206C9494A63FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.480{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.413{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=247751D4B39645B155137C8CBB57417E,SHA256=CCB89D4FE4D99C20C625174D62E5A6A2434E374DCF3F4919DE44A453D1556DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.096{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4393D12E8A1B8C6D125FC04718089FAE,SHA256=CF465AF797B25F4DCA744B25117FF44E37BB0E3EFC739C21B742AC982F1FC185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:08.914{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D17F428D8DCFC397106BBC89670976,SHA256=230BDDCB650F214FACB2BD6227518B34AEEC672DDB509017F8190C9E64B201DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:07.273{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51216-false10.0.1.12-8000- 23542300x8000000000000000674644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:08.626{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BF1B0A8870946E83E074CA4518CC3A6,SHA256=EB977451743F8C249891465273D900684E830336547C7D713DF24F5A4552FC24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:09.914{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9F79B2327F2D58DF0F6E219C8F91C2,SHA256=DC7A07FE94FF446BC75FB1879DE035610575B8C06960F85A4D7746670849902C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:09.628{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6ECB4D59AC3144BF11FE14DAF6E690,SHA256=6FBAD9C62AD96058DC062F6173EC8541CC9C4ADE66AE5BB7B236D7E09E43E6B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:09.508{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C2AEF0BA0FDD02A6E6A8E4C467DDDA93,SHA256=F6D1831E759E9C6FADD701010B0486794C458DCDB25229C12812F4C25BEB20B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:10.914{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FECB49D3983F0048EB50736475FF14,SHA256=6D78D56092D8EB91AD27359C59CA5A31EE422B8CDD8F5A97DD59665627DA528D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:10.644{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8240CE5B657568E4EE4B296139F6EA0,SHA256=85FF3A503C38FCBC7F206A79DE7508BFF1373FCF37DABFD30F15805D21055FC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:08.733{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52816-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:10.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=696FF53319528FA775634AE64BBED63F,SHA256=99DD19F6A32BC759910D7C2A832BBEBCBED2EC9BC511CB08D30ADCCA89A4D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:10.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB649B447E1B964415EA715B1ABCD00,SHA256=6995B93E2DC1C3A260772277EE8C9C05C2C6846B5035BD71184EE96F664E649B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:11.930{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93FEA55C11C50CA7877697B039D636B2,SHA256=300DED9B1019A3EBFFF83734E3A7EB293DBFBE8C91E2628C5765544BE7B3FD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:11.663{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49924F986E2D6B9988CEFB61C6FCF093,SHA256=1FAAE247713A2B99D9DA1D9687BD53BC9E2FBFA063B87C47627DB35E4437E06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:12.930{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DF30028EF9C9AE19AE3D10548370738,SHA256=3C6ED0D3FF88D7D4212574FF8389FE262586F633AA5BA10695D3C37D24896E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:12.679{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A104726B79DF7C57C3AD06B78D0D0B9,SHA256=FE9F608747A71C7D767E85DA7EA3EA6864BD1EBD7797BDFA302F00AD3CBC5C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:13.946{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A943582096F13D8F5D5E37315CCF356C,SHA256=C298E3EE20851588D49E91D165A33E200575C221CD4F84CF42139F2F4B08EB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:13.709{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D789EEB74794BC5BEB37AE85067AD87C,SHA256=501221234F74D14E8DA9358E54F473970B55E80DDB4A8CB1C7FDC941324A454B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:13.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1586C77D9F905CDB259CC8BCE966A2C,SHA256=F5C9892C64407794DDF260CC672D1B7EB5468C554BC8FE019430322A609464E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:13.143{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=876B485A91832780E8EA08743AAFB8A5,SHA256=8B7D8A6993C2EB4D91A8646000A71398BB407406F96C6E04151FF23F3900F686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:14.946{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F04854F21086B25664E719D445DDF81,SHA256=1FE425492FECECFF677B5FC2BB7F77C71FEBE099DF6D5B98C57D5D8DF6118AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:14.724{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF8C9F3E4DE09E7B5D51DFC2D9BA5EE,SHA256=3BE657B7924760C34C953B76DC6BE6E7FA75CE597345BC7E787FB97DFCA49CC0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000674654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:14.224{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000674653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:14.224{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=C44633F1175ECB5885344981D0DA276E,SHA256=ADCA8F574C7E75C522FD67057E09202A6BCE502E4FCA1C08E07E5B948C0679BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:15.760{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1524848455F50D40F278AEBE38424004,SHA256=508A9CDEE076BD9CB1528BF6F314BF04FE8C529CAB1257B3178C466627EB4E84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:15.961{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE525F2B33A36F364232098C0DFC661,SHA256=FE71F8DDC46F82FCC2B6694E92C5B1687D97AE12FBE6FAF297980AE8C52D67CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:13.780{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52817-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:15.196{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBB440A1A51242731D5576C96646B6B9,SHA256=EEDC6513F5AFC92F55BD8AFEDB659F72C5A3F60A9B82B86D79D591570BC945C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:15.196{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=696FF53319528FA775634AE64BBED63F,SHA256=99DD19F6A32BC759910D7C2A832BBEBCBED2EC9BC511CB08D30ADCCA89A4D8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:12.371{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51217-false10.0.1.12-8000- 23542300x8000000000000000674658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:16.821{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E929DC3CBE78EDDA8622C204E120F2,SHA256=6A85FF40A4F44FDA135474B379F33F24F0E523A6F748A5B2A0703E03237EF8F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:16.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=531A91CCF1947410D2452AA07A4AEF93,SHA256=9A6FDF27A95CF055E3C05228853BD90F31E8404C45CDFC186A8CCF8E7E431151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:17.839{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4AFE3D3126F9DF4246473A0D2B9C24,SHA256=C14E6839E377FF6B12F405E6BCE44DDB9BB7454859585AA18DC103D33C89F43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:18.874{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=426B180E895DB63FDDC96A9111DD75E1,SHA256=9F4427804F3199A5A1D674E34FB9B9F8E9225746B1A6FE889D21CDD29313E945,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000674660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:39:18.742{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\Launcher.SystemSettings\shell\Open\Command\(Default)powershell.exe 23542300x8000000000000000573090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:18.039{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF39CD36BB5DF5FD8E6DABF69B8808AA,SHA256=69674A200FFA3173D76EED13D86E597370CC18EC16181D2FA0C965CC4599B179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2D6C6ABD712A89F1D755A6F6B94282,SHA256=BC080EDBCA3C2703EFE9F1BABF624D6E5EB773CFF5C01B4E296C9241FDE4A005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:19.070{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DB966A60204385820840A07C391AF7,SHA256=D44286E001C1F9D6E002ADDF0D1D8DE10091E6DDB634781141EA7AB1FA19AE41,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000674672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:39:19.757{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\Launcher.SystemSettings\shell\Open\Command\DelegateExecute(Empty) 23542300x8000000000000000674671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D1D56DEE24CBB1C606BD3FE52E6F3025,SHA256=61B9FEFCB23DE9EE50583A730C6D27D94C382B0DE11081547670597A5A465BB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1415373588A7D1CB6E3ECBEBC0E40D82,SHA256=064D30F1D9BB8B909202CE58F79D167B228AC9F44B97BDF27E61B793429D2F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=037E6CEF27B38398956CF3570A738361,SHA256=1BC3FEC03EDA7FBF5C6229C7E79CC1C62F5DFB1C3AE3ADDAAAA70CEC3895F971,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E3FF61BD0930D9B74578E87BACCC04BF,SHA256=8A291BEBF5D62EDD09660695EFEECCED31C5F6392409E5674172747F33B93CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=00B8986BB8ECEF0E20C7170E564A4AD1,SHA256=62CC0512D5ECE1120A63D3E21E401B5BFA6BBA86AC92BE6160045F0501A8FE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3E05436983F4B62E046A4647CF253A48,SHA256=BCEAE88A36A09DC26C800B34B0D27FFCAA3F44E60BDDC58BD7C2FEE7051AE9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6EC3C16558F83FD3A02CB943BA4E8179,SHA256=07FE635F995A444CBBC004F33C1337441822194408137364192A397417C94EC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.142{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A6AC78E816AB0DC83D6ED01675387158,SHA256=8A2EC377CBCC217DAA55F244ADF9A23F31EEE7A966BC74C3C51EC3EDE355D6DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.089{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929A8CD304722517B09BAFCA6A60359D,SHA256=2F8E24E70A5DBDC4CD4DCAB2AB62BC7578031CD4323020CEB29BA5FD7BC34DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:19.089{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1586C77D9F905CDB259CC8BCE966A2C,SHA256=F5C9892C64407794DDF260CC672D1B7EB5468C554BC8FE019430322A609464E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:20.902{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864DA9662E44876FB062770E148DF85B,SHA256=9C204DF0C31BB99372AD8E1A94611AC343288FF1BB7B8A1078E7EA09F1932E0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:18.811{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52818-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:20.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72D7D835A63FB65C63924F9716BD9FB4,SHA256=9A736C8284FA7C622BA105FD27202555C6DF65DC7C20655C257543A3617A7BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:20.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBB440A1A51242731D5576C96646B6B9,SHA256=EEDC6513F5AFC92F55BD8AFEDB659F72C5A3F60A9B82B86D79D591570BC945C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:20.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7938BF215C5B8EB93D1288D75F20835D,SHA256=9FF20BF0F13A76D346C01A5E05A328615F9D69B96D94C1C7774F271DB636548B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:18.320{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51218-false10.0.1.12-8000- 23542300x8000000000000000674676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:21.954{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=454D112181B2D083F8F598BDE4434AFD,SHA256=8985AC33D8A26A2FA0E70AD572EDF3BD5CD8047509A0EA8B3068940A0859FC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:21.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25CD52FD46CB277BD25AA13615441648,SHA256=4187155F13120EE9C0E38112D3AFEBCEADDDDCAF7D5B4C6B87A5AA83DBBA2A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:22.969{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3694CBB6CCB0758F02088B4658C9E9B2,SHA256=3C0183A9A2A84DD93538005ECF2BFC572F13CC5D396177A430BA014975B6DAB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:22.164{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72BA6617F3396F5D9DF4CE89927B453,SHA256=F5A22864418A9A4E630BAD3DA5E3D4F49C748233126A45AA87828C26B6E4D030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:22.501{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=929A8CD304722517B09BAFCA6A60359D,SHA256=2F8E24E70A5DBDC4CD4DCAB2AB62BC7578031CD4323020CEB29BA5FD7BC34DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:23.984{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11391769A17264C9D5C7B9427EA6FF70,SHA256=51B4FCCEDEF523030DDE73C6797FE58C50BC074DDB197EBB15ED432FA70EDB3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:23.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574A4C17AA063641E1035D7C90B872ED,SHA256=A7EF6E27D9B87A85DC44DFB7534FE03A8DA7433DA8F4220FE28E11B0F76D1C32,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000674679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:39:23.836{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\PintoStartScreen\(Default){470C0EBD-5D73-4d58-9CED-E91E22E23282} 23542300x8000000000000000573099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:24.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF61827D41940CEC110A7D0515DBB87,SHA256=D558AADB8A246AC4B7D2E5D4270492E9C16C727BEF154B0CD70F0CAF115898FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:24.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33761AE55E6AC0CBE3F1E2F2B590D788,SHA256=952BCADB72A776281CB4DEF146E432634DD084A7201889DA91617A11A0BB96F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.930{E1BD9FC2-806D-609D-0B51-00000000BB01}39683640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-806D-609D-0B51-00000000BB01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-806D-609D-0B51-00000000BB01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-806D-609D-0B51-00000000BB01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.805{E1BD9FC2-806D-609D-0B51-00000000BB01}3968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.305{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B7DC1A3368D9AC88D452FA26C45EAB5,SHA256=6441BC0F183F957D859868D675A190856E62FD1E81C6FFE0425D8372F3829906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.305{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72D7D835A63FB65C63924F9716BD9FB4,SHA256=9A736C8284FA7C622BA105FD27202555C6DF65DC7C20655C257543A3617A7BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:25.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7AD18127F020FEF39C4CF5DC8D9F088,SHA256=58A682882D28A7B287CD48EC85665315AAE4216BF03CB5B399639B94994C1CE2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000674686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:39:25.853{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\(Default)Taskband Pin 23542300x8000000000000000674685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:25.315{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:25.268{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=423EA3D2CC7AD2AF2AB24C2A5972A948,SHA256=75050580B02FEA579BC0EB5CD7B341B014F8EB960304C8A476DFDBC3A46A44A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:23.430{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51219-false10.0.1.12-8000- 23542300x8000000000000000674682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:24.999{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B762A49D3786A2F952F9CE0B3F550CD6,SHA256=37779790F974F14C95A9E3C66F4667FCA3D4938F04A37D291B3E60CFBAFB9D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.863{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B7DC1A3368D9AC88D452FA26C45EAB5,SHA256=6441BC0F183F957D859868D675A190856E62FD1E81C6FFE0425D8372F3829906,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-806E-609D-0C51-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-806E-609D-0C51-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-806E-609D-0C51-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.472{E1BD9FC2-806E-609D-0C51-00000000BB01}1472C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:26.305{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7B47186C19C8DBF57522718994EEF0F,SHA256=1C65C523875307024AB06E960630695EB15917356C1D741D478407F1169CA956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:26.833{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:26.832{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=F77C0518A0F3D0CC1A992E590218FE1B,SHA256=5BE7FA1F8BBFAB4A15CBC3D25AE0C5E6B33FFE4CD162B235947E72E31C056083,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:24.498{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51220-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000674689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:24.498{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51220-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000674688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:26.301{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DACAB15B781416EDAF0C88730F8A45F,SHA256=CC61E7AE69A237A611C154983AEF80724349DD50622AEB0930C4D8150F7BF695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:26.000{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9B56CCB78F0D20B8257D7009F71E88,SHA256=EBBD1744637B35049B92C61B4D5F8005F9096C782C02F073B9D6041CEC322073,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:23.858{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52819-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.519{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4B756F7679597B92D5D265B954F816,SHA256=05E6E4A8E2298A15AD4AABCCF37DE32FBAE0ACB4A601D4870CF4EB6E696E038C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:27.485{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C424FDEEA63B7EC9C31D86228839BF8,SHA256=222DEF2F8A38FD58D718B1A821B99FF2C041EA1650D80C69D0E3777D13B7051C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:25.545{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51221-false10.0.1.12-8089- 23542300x8000000000000000674693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:27.016{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3254AB49BDF0C7C3A33EA5473EF46CB5,SHA256=A3938F917DF51CEC3755D5D8E8C9763A445A58AD23607BCB714BA15EB76B6923,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-806F-609D-0D51-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-806F-609D-0D51-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.144{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-806F-609D-0D51-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:27.145{E1BD9FC2-806F-609D-0D51-00000000BB01}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:28.707{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20034BF374B3508B26F006B3D208ACE8,SHA256=027EAFC9D3D2F8667624D0D49DB2E5A7AAA7E6FB89BBB9A90C04E94CFC5A458A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.984{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.969{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.969{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.969{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.969{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.969{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.953{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324952C:\Windows\system32\lsass.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.953{7B03F3B2-D0C8-609A-0B00-00000000BA01}6324952C:\Windows\system32\lsass.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.916{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.916{7B03F3B2-D0CA-609A-1600-00000000BA01}13042068C:\Windows\system32\svchost.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.916{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.884{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.884{7B03F3B2-326C-609C-872D-00000000BA01}68926228Shell.Commands.DiagnWindowsPowerShell\v1.0\powershell.exe{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\Slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x8000000000000000674697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.887{7B03F3B2-8070-609D-3556-00000000BA01}6356C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\Slui.exe" C:\Users\Administrator\Desktop\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000674696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:28.035{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2345539D2CAB64B3F94618610ACFD289,SHA256=A1288BC4EB7B5BD6C880364DBB19536A4A9AE5A6FB8947726FFFFB3DA299EBBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:28.176{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B130115BF46390FE15350DB0A923A86,SHA256=7C288C0A04E52FE132DDECA5A76E4EBB6947F1DB52F3591AF66925C8BA1E06FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:29.894{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:29.769{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9EA6D9BA57C84F2B0A3CCEB645FB16,SHA256=8A6A6030F3F371FA98E43BCD2028CA4BE2F10A2274D257ECF2587458A7FFCF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:29.888{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0759AA012B4CE676FBE9E6318A42BD4,SHA256=4717CD7757F12AB3D3AB9CC77949884DE4320DAA9722B2DDF7A464B78021A94B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:29.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5541E97495E4FE4375B3D9E36E67C5E,SHA256=8D0425B88E65D08E0DEBEF0327679E027DAA1635B8B3EC008BB632CF8868D4D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:30.879{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEA7BD21E6A03E4DF87C1B8A3DDA777F,SHA256=621CCE5658A9DF1C143BD3D8B41E2EC36C6906FB8BBE8C9458A16B55F202ED96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:30.769{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAD239D80CD0A0130079607FA71B70C,SHA256=CEBAA68F9FC70A92FC2097F4AC884D490B77973FCE67F3FCB724030D6C19CEF3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000674727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:39:30.968{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000674726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:39:30.968{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000674725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:39:30.968{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 23542300x8000000000000000674724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:30.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=213B448EAB69F18B1ABFAB09CD7C39D2,SHA256=2A62ADF67CF557C655D865BBD6ECD627E2C5AA441902C9A956207BDCD00923E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:29.697{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52821-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000573154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:29.510{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52820-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000573153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:31.801{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F85BAD4C207CD640DD5A855F64D593,SHA256=E4FFD772FDE00C0A35D0453D7CD4600A9E55E06FB61A9967749A2FB9C880A797,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:29.399{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51222-false10.0.1.12-8000- 23542300x8000000000000000674728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.084{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE508232D063B43B44E1592B0029470F,SHA256=720DA421FD7A88C816BB745FE2650991F16DFBEE9C6197382A12897358FD0655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:32.816{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6A5C3E89D20D7E57E34FE90B4EF734,SHA256=9ACFA885639B6A829CB18F0F60EB02C82149590B58A840098917152D22B5A3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:32.532{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77E340937403DB12A2951996629618FF,SHA256=D3E10D7FFF1489048685EA8BA6961AEF992B5FC44EE1A6FDAE2931E72E6713E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:32.532{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60E0C1AE7DDAFABF9584FB090108007C,SHA256=0B91A2853DD6989F1BE26C984D70CEC3C242F9CC171A02F0ED0D046547AADFBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.235{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51225-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000674734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.235{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51225-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000674733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.229{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51224-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000674732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.229{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51224-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000674731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.215{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51223-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000674730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:31.215{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51223-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000573157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:33.894{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC3FBF94F71044908541D22E420E6E8,SHA256=87820CE3622938A56AF3BA332B3E37F93679C5E833E665C2AE8594696CDB8127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:33.297{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B469FAC6BC29C6671752469AE7DDBB81,SHA256=449B394CF4A5DFE9768D1CD32EF3B70B7B2977A52609CB5589D6AF85F70849A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:33.013{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E9C449BE72BBBD7D44021A7DAB4E5E99,SHA256=CC783B6A1FE25E584747E112F42E44AC496ACEBAB35B1801D5631D44856ED856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:34.941{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D53CACF9BBC67190DB04BE12EB276DD,SHA256=C96F8FB18FCB7A037063375007FB4471F234F58DB3C27A03BBB1F6935CBEFBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:34.311{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDEC8E371C4C0CE14EA43983026A3BE,SHA256=B3A5C72CC5FE9AF3B53A3AA76CC379E6C16AB641DF84AD277E3EB7D9159D583F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:34.426{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51226-false10.0.1.12-8000- 23542300x8000000000000000674742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:35.348{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A008D49A903D625D1AB0C3EF41D637E,SHA256=D0E362E6BF616B12FB526D34E3A7F89FA20B3C4A4A5F555FF57EE3F8570695D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.849{E1BD9FC2-8077-609D-0F51-00000000BB01}29801628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8077-609D-0F51-00000000BB01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8077-609D-0F51-00000000BB01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8077-609D-0F51-00000000BB01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.724{E1BD9FC2-8077-609D-0F51-00000000BB01}2980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000573172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.177{E1BD9FC2-8077-609D-0E51-00000000BB01}1042572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8077-609D-0E51-00000000BB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8077-609D-0E51-00000000BB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8077-609D-0E51-00000000BB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.051{E1BD9FC2-8077-609D-0E51-00000000BB01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:35.196{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C789EE22E64FF6886842ABA7BE93034C,SHA256=62B58978922DDD7CD788F6B0C52B14847FF5C3C7659B85FE66184C714BD39233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:36.363{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944A3C279E5858CE0ADAD14BB24F05D4,SHA256=B8CBBF5017BA6DDED250F8BEB23994A776870DB23118904BE2FCCB9F72057EF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8078-609D-1051-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8078-609D-1051-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.397{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8078-609D-1051-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.398{E1BD9FC2-8078-609D-1051-00000000BB01}2528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.163{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=446DD7D74C8405FEAAB8ACBF1DC9BB78,SHA256=E05CBAD0B1E72042BDC8F940B10FA8427276C21502940B32A07DB414CF4A2B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.163{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C280B67975FDF78A1753397F4884AB,SHA256=62559FBCA6A3F98B452555061AC5599021E7F7D475C76DDCDF4EF3B0EAFAB41C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:36.163{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D68575A020137F8486FF851F192E4D8A,SHA256=47AE2B6116A548A6144B485343D5387F32A0589F2FC773C0605E48B7D59B3A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:37.393{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFA619AED729C3A18F1AE36532B7947A,SHA256=498CC0452715B98A66FB4BD8CF70B0F6FCB49F78FA1E57699B4A6B9301054F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.303{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0109B93CD4E5A9CA3941A65CB2D8E061,SHA256=9A0956B24D937AD976293BD1CE140781912E6C78250EEC47164FE02577F88AFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.194{E1BD9FC2-8079-609D-1151-00000000BB01}11921572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=446DD7D74C8405FEAAB8ACBF1DC9BB78,SHA256=E05CBAD0B1E72042BDC8F940B10FA8427276C21502940B32A07DB414CF4A2B30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8079-609D-1151-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8079-609D-1151-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8079-609D-1151-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:37.069{E1BD9FC2-8079-609D-1151-00000000BB01}1192C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:38.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98082C0688446096DBDB4121FEC7B348,SHA256=3087AED489B2374C7DFC92FACAA56FFF6E8C5F40247CE32677A93860458F942B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:38.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0AFE662C46D0AFE9252D96F765B13D,SHA256=B68977D55FF84BA13ABFBBA6B9638534946412BF8E180052D4FECEFC14D83B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:38.425{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=561BF7E78D98E5F6D882AD68ED63C593,SHA256=733F89BF84F12743A66D1B473DBDD0927BCA8736FE903FEAC0D373B206E5AAAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:35.714{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52822-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:39.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83115D3AE5D1DEFE0A2AA82DF787B6E5,SHA256=9F9CCE882EE7AE0514C3710980D8FCBD8B54341255BB5318CE50CEC5B8841794,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.444{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8532488478D163D327B877F3B69769B8,SHA256=9AEE93CE880F9A39061803D5D7BC1EABE14EA79EAA33E95845BB4418C93F452A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.107{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=46E62CBCFC34814BD0607C099FDB632F,SHA256=52365E8C6D748B3D5187020B52F0D6D91EFD0581AD2D5DCADBE0254F129C786F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.107{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF3E659EE9372BDAD62A00A911C1D381,SHA256=774103E2BB48307A95B1920C928417A5A556971F463F120D7395E2D69EE0D55D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.107{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.107{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.091{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.091{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.091{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:39.091{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-326C-609C-882D-00000000BA01}6984C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:40.843{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=825FD573B6E7F302E5F45DB27AC40B9F,SHA256=5037FD8C992B60B2BBE98BCF44DB99BD2526CF4C2960BF77451D6816919CDA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:40.843{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=110BE0A1E40C07A8DD27819F1040B4E8,SHA256=5A33D44D56BA2E5144EA1345C426A92C56A610042802890DB642685DD6390736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:40.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCAEBD861330D3520B30609296EDC4C,SHA256=547718A3C3E96363F90FC877542368FC349099B14A5FF29FCA11CFC4A3E7A5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:40.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4B49A321982F5E2943C0F94D026A62,SHA256=7B82BAABB7118724F545288A652A6D230CEC53FAB79D6E9F7F0B83D8441D4C3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:40.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CA56314A79C2BDC96487B881D7B54C0,SHA256=EA0DA3AA9FF5C1DE856AA7DE066731E63A6FA5D7BF255685A1FF3234071A5D28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:41.474{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBA64699E274E357EC23C424D5A3E7D7,SHA256=82674B445FE99FF410A5FC8AB26B3189CE22D1F3ECE1859B69F4E330B0055B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:41.241{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687157EE009A72041BEB74BA20030A6B,SHA256=F6EAC63D6705FB33F11D189249A6269BF0CF466D5437A98EF72B0FAF1D93E8EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:40.271{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51227-false10.0.1.12-8000- 23542300x8000000000000000674762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:42.504{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=800B37FE585F2DE80368F58C97D30C4A,SHA256=930F9AA795B759426BD5E2E43D55C06EA1FE00CBD10D8999F624657759DC4562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:42.488{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D9956F373A9C82C5BFCDA133259672D,SHA256=ED826628FD4178CA485E43661D24646D0DCBB2D1E8E97F1AC5EB65FB9B1F3004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:42.256{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BC3AEDE6B86B7BD7165E70A3FEB35D,SHA256=2360B04E88463BE0460E48A1717C2EC5A78DA9951EFC28CFA76F4915F9241848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:42.100{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F588DFEC5620EB44355CFF201F142813,SHA256=DDAB22B1E4299355A37381196B5BEB8B32B88777BA49EBB4C8AE9A59AA58781A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:43.503{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724A64C7CAB1675E43DBDA70645519D3,SHA256=3366B259223A6B257005961F4EF796737AE8D40EC1DDAF050088CF40F0C942FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:43.288{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979DE5E0B73A0AF4BFD0A5BD153F0E47,SHA256=28BB8AD916CE21FE2106CB66FA45774A80EEDE5A9D7BAF672CA48E49886767DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:40.716{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52823-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000674775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.922{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8080-609D-3656-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.920{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.920{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.920{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8080-609D-3656-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.919{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8080-609D-3656-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.919{7B03F3B2-8080-609D-3656-00000000BA01}7968C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:44.521{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A299783F1F56668A0A4EDC248EE39F87,SHA256=69884541C485A269805ACD91BCA80BD504CD6AD3A6D82F70760F309300D270C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:44.319{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1F064669B0B866365102FED4000DDD,SHA256=D8BDA7D219A60CFCA32642300EE54357127F7455165F84BBA8EF56FCF810D53E,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000674766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-DeleteKey2021-05-13 19:39:44.420{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449} 12241200x8000000000000000674765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-DeleteKey2021-05-13 19:39:44.420{7B03F3B2-326C-609C-872D-00000000BA01}6892C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500_Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\PintoStartScreen 23542300x8000000000000000674786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.940{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EE607DA18C25F7AE0EE03EBAABBA2F9,SHA256=ED17C1A4249AB681BFEEA5C6E840AE102CABCCE2435A8AE9A60C6611893FA533,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8081-609D-3756-00000000BA01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8081-609D-3756-00000000BA01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.603{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8081-609D-3756-00000000BA01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.604{7B03F3B2-8081-609D-3756-00000000BA01}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.540{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04E61747DCFED072E3A8AC1D8DE5831,SHA256=61A2F37818C70614306CCF907E8174A8C4E6329CE1DB5539BFEDEE7BDC16EA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:45.350{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77A39B3091012E0C2ACFE3AD1872F6E,SHA256=E48B853A1EFE24DEDD8D6AD4ED00FE81A196CDFA42A91969640EB20C64A36B5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.102{7B03F3B2-8080-609D-3656-00000000BA01}79688064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.555{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F92D6004B35DCE3E3E41FFF6C6F4DA5,SHA256=5185E662ABAE28006E370BE31D40F50C8BF0F3291C305ED63FB95088875543EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:46.366{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F575FA3B2D5DEB7B1116D1B7B1ED44C,SHA256=841142662B80B2F106BF093E27165A40950FB8E7A41689A9220276638BF0421F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:45.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51228-false10.0.1.12-8000- 10341000x8000000000000000674794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8082-609D-3856-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8082-609D-3856-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.271{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8082-609D-3856-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:46.272{7B03F3B2-8082-609D-3856-00000000BA01}2256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000674816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.954{7B03F3B2-8083-609D-3A56-00000000BA01}63483220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8083-609D-3A56-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8083-609D-3A56-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.770{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8083-609D-3A56-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.771{7B03F3B2-8083-609D-3A56-00000000BA01}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.570{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400DC07B21337A98F33D257E80D068B8,SHA256=161EAA5AA49D6ED13012379741EB4870E584E0E9D795636D6AA67CB538B9CA99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:47.446{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9622EFA5C8148C50F20C1C579B1133C4,SHA256=0A976B044613813C558392559A2165D499D1A27F5DE837743BA3AF67EBA51AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.423{7B03F3B2-8083-609D-3956-00000000BA01}76686700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.301{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDE5EB42969EEC4271E9423E294F0DEC,SHA256=9D51DA8298F215E8190DFCAC48AD6D0F428FF5985E39215F12823EE7148C8E1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8083-609D-3956-00000000BA01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8083-609D-3956-00000000BA01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.239{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8083-609D-3956-00000000BA01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:47.240{7B03F3B2-8083-609D-3956-00000000BA01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:48.601{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABE80F804EA7A785FEDBB69343386D7,SHA256=29181E3621AB27048CB97C2E3544AD07C9B106219312F31700666902FEB867C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:48.477{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDC584C279EFCE284A38E25DDA298C8E,SHA256=BB24E6D8DFB19D71676506BEA069C0C7146BFE7CEB2729BCAF0D4C11AB11011B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:48.438{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5C16A9A4E46A74F0DF9159F89BCB3EA,SHA256=D38EA4594C91B2E8610FB0AB769F20A87E3008B46386BACCEDFA3F2925B55631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:48.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86385F2B07C84340B6196DA28604D6C8,SHA256=659534ED1A47EA9CBCE6D7DDC8265A94435CE739370190492FD8BD7B059AE7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:48.133{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8562EAD12F3E1AAB8D9D1DCAC8CCF10F,SHA256=F0DB1A5E348E7CA66880D0AD9511857B1A38AC8EA1B86060532C3AA9D45CDE6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:46.733{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52824-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:49.477{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D3F6CD38C37B6D9F0669FF75B57A15,SHA256=F376B4BE02D14AF3D14762203ED3621AF02C37C3BA45EF1BF835200762757A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.621{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44EF7439CB107D640943B4CDFD3F684B,SHA256=210AF2AA1197991278994FF38CDD4D25187C7406DABCCC562D0D7A50EDB20074,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.500{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6A039FDC8A9198D4E6ECE8E9BF0D2A17,SHA256=ECB5E082FDD73E22299D4BEBFD746198A833DE31A4B0CA15AAF07E4DA413B00C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.400{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.400{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.400{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2A56-00000000BA01}7348C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.385{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-803B-609D-2B56-00000000BA01}7808C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:49.369{7B03F3B2-326C-609C-872D-00000000BA01}6892ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveMD5=48130071602A46ED1FD95E65216FBBF2,SHA256=076861E3CED9783A41D26EC8387F0E4D33212DB5B1AB1FB142B90A058ED4A9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:50.493{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F3E3672A7E9112F2EBBEEF9BA6F068,SHA256=DBC08A45F99F5E51BF474F6DD507DB72C22CE6D87A8856805FCE352239862FC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.953{7B03F3B2-8086-609D-3B56-00000000BA01}79844080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8086-609D-3B56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8086-609D-3B56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.768{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8086-609D-3B56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.770{7B03F3B2-8086-609D-3B56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.700{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4118D137155A942F3E90CB65B5A13848,SHA256=8E46F927C987652457FFDABA1EA68CFCA02683E96C6BBD41CED3622F16360682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.400{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDC32BA82AB557B4B62F40403817D8C0,SHA256=3504AC82F136CA23E5199F35F4E1F876F1DD470DB4F47EC2F288D53A4E02BDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.770{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06BB11593FECA3D17115CA0BAA4F4ED9,SHA256=2A46B3EF6F8FAEB5250C9D6E91F7FF19CE62C891A9D434FB7E388814CBED16A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.701{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6688F2DC6A595575D66B7F1ABC6F709,SHA256=40700A5B97FE823845DDF2929E0921CC4807D4298C8CD33D7EECA437E1FD3EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:51.524{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCB5C774BA4E1C3DED1681D77D1F7B2,SHA256=AA065B7602AE20146DB9787E6693C2645D45F68C9781A78C81E7DB3D07CF0480,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8087-609D-3C56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8087-609D-3C56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.437{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8087-609D-3C56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000674840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:51.438{7B03F3B2-8087-609D-3C56-00000000BA01}3528C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000674851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:50.346{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51229-false10.0.1.12-8000- 23542300x8000000000000000674850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:52.718{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B3BED02C52BB97B3F205BCDCDB9603E,SHA256=9829D8FA45876E14E79C602E8ACA88EC1C63D6E1C97601A8C524EC9C964DFE65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:52.524{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C876FE0BC37FD19ECFCC5A488E3C19,SHA256=78B7516E7620E5D737FE8CB44E8EF9AECD0585C20749A4A3D90457D66D95F886,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:53.737{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2EFB809519D0F93F827C1CF056C271,SHA256=AB7561C7889DE5F1374CCF476FE7B8220CCC3417F0DC014D996C89448B77D2C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:53.524{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F52C6CB2661E15EF8CBA49800834B6A7,SHA256=045A6174B252BBF1227AB2440CC337C120C2514B15A483D6BE64621B6D2B9801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:53.584{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3AA75724A7E98E55A2221B9D46904901,SHA256=CFD645AEC1B7485ECFACBAEFCE4CBFDC883CC1B8D83C158E25C997D05975C54F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:53.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C781A45C684E65E7C7E9D109165996,SHA256=49D5E9B9CF44FFCF38137B60393A5722260422B25236258D62E2E659F7FF4C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:53.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86385F2B07C84340B6196DA28604D6C8,SHA256=659534ED1A47EA9CBCE6D7DDC8265A94435CE739370190492FD8BD7B059AE7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:54.540{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258445BF96F29D8CBB1A9E54512D514E,SHA256=1960793DC3D977F8CB35C2C4C2D1E8B51EF6BD15AAFEAA1C6B4AEA2723AB7D45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:54.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61125816E75ED86E49697655E8BAF909,SHA256=B551EAFB037ECF38250C7FC915FE260E6FA8724CD59CC9EA06420F3E45F86E19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:54.598{7B03F3B2-7FE0-609D-1356-00000000BA01}5204928C:\Windows\servicing\TrustedInstaller.exe{7B03F3B2-7FE0-609D-1456-00000000BA01}4712C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7cda8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000573244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:51.764{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52825-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:55.571{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=569D57617265B9AB64FA5B70E44C1DD5,SHA256=42DDB07860C634BF3E08E7601FBE33701BB99C0BAFAA4DF5F481A7C19B897506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:55.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC71DC57E8316CC486EFB6D6C3B0EB7E,SHA256=76BBD9FA6CBAA0543135ABA7DFD9F4736CEE7E12E2465B2ED8C5F31506FD7019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:55.619{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A801ED9F441759DDBD0EB8366811C57,SHA256=5BB2C3C0F534941BB5EA07B7CE991D7F0264679A9B7D751E665765297F332DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:55.619{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=825FD573B6E7F302E5F45DB27AC40B9F,SHA256=5037FD8C992B60B2BBE98BCF44DB99BD2526CF4C2960BF77451D6816919CDA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:55.618{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7CB41E79B732FCD02C5D5AD7A648C8B,SHA256=507BA061982514570EE949ACFA8BE3830738A566286E986EF563D97BA7B73A54,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:55.381{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51230-false10.0.1.12-8000- 23542300x8000000000000000674868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.818{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C148A105C3D64956EB0D29AF33FCDD,SHA256=69A049F5DBF440499F29C54B7ADA720EE03EF0143A73656BD76CBFC13DDB9218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:56.586{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890301154A68EE2917E41204750BA506,SHA256=575A3A46AB668FF49E63ECD725AC58A46BFA369EFD95834CDBCE2B04EA43DC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3699DCCC577E53A9C20C8176FD83E6DC,SHA256=0F397DBB31BEB53B0B574CAB25118D46C0D97125F1B39C1CDA686E6F79D8F400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=774D7A4ACB1A1EAD488107A64C95BBC5,SHA256=6B1E27C282F8FD1C39343E352225FDF94BD8B501913B407C10D8114D37B89B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0D1DCD96ED807D52C7CA09B81550CD2E,SHA256=557DC93FB81B3EE254454934C170CAA99AB6A4C241AA95232B2338E379D66DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B6CF7254A232325BECFD2446D225C51C,SHA256=72F2B341DE8802E8DF4DC51F59DB4E92D404315920D264D711C11E9F5F6CAD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1C581FF6C72646097AC4426D90669523,SHA256=274F1FA52091E71DF740141124FA143D079149A67737C69F6F9C1F0338B05346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=603B38128A50B4DC24AB6138D0BB4BA7,SHA256=366B0FBD7EDA14684ECE2E52290759D6D46C09357818333E10B7A82809175D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DD2DC87BBBE57009E21C5812B1BABBC9,SHA256=5DCF6E8C928BBC263AF6CA6C5883473F957C89BE91BBB551FBFCE6CA38004C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:56.397{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EDDDF896883799505BCEC795C958276A,SHA256=4C12C8ED7F76A2EC6CEE42FF78C7F52DB655E88313F1B35F1E3FE1E75229F29A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:57.833{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7463C349F2E6C840DA51876AC3B2E7,SHA256=CD9551D530163A2F552D130B76DC02338E793067C3FCFD83D172ABFE8A798DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:57.696{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29460B116853E393C908082982BD4797,SHA256=A07D29CAA0C2342C976496F51E30F2BD7F40CAF8ED2E0E91734B12F08D8CFE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:58.833{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB754D842AA62757E947A394FE45D45,SHA256=DB4492C6668CD636C51388BF8E907881AAE002EE4183C62C5C24A480022DFB4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:58.711{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D070141A84A3CFF635E57A5DAD23953C,SHA256=416705041232E91EA877A292CA436A67C962C85D8E7C63AC99F0EB2A6BCEFA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:58.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD772F8B8603854EE11319293E892509,SHA256=9EB5999FC43D66FBAD3357200DF45E9014C397DDE0AD632FB88A6AA9A444742E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:58.180{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3C781A45C684E65E7C7E9D109165996,SHA256=49D5E9B9CF44FFCF38137B60393A5722260422B25236258D62E2E659F7FF4C6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:59.727{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F915C940D601D72B873A254C3056D0,SHA256=BBEBB73BF501005618123C5E64167170F15C1DBA2C4840E61FAF0A200591975F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:39:59.864{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5E1CA172767B75F458897D1F1D34F0,SHA256=230B00F25F9B5A9DC118681683CC3FA81176655CB9F1FAF6EBB58837A86AE13A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:39:56.811{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52826-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000674873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:00.879{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D4AD7C477A52A54549C4F197947CBFC,SHA256=59C35A4D5AF0E36A73E15330A126660A7863A1527855819F7C29AFA6488C4B80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:00.743{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29881026EB653C77CFDB3AD6D1D869EE,SHA256=F0979DD36A7B22220064EE46DC4B12A788B7E402138AEE9770F2A46F52000040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:01.896{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56791A594CB962C5355514AAB71700B2,SHA256=C582BDED4BEB4CFF4049C92ED01D6BD039D6D7C8DF72CE7B2FEB3B6BCDE24833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:01.758{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3A40856E9C77E51DE26D7039851FEEB,SHA256=D2D1392EFABC83BA28DE9BC26C98EFA7848A1A8A8A04755B25B1CB7BE74E67A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:02.914{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A2352C8D2DEE51471612372F8789CC,SHA256=336EE4BF6872C212FD5E5A60733A2027A8046913B6F946FDB83BA69FC41B2203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:02.805{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102ED5EAD82DDD25AC1BC7C1B24DECE5,SHA256=AD65210B2B9AC4159FDECBC07EB14D63FEF9E2CF8B5982D48AF802F60F965509,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:01.408{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51231-false10.0.1.12-8000- 23542300x8000000000000000674876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:02.164{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE19657DFF9E3A5F01C2AE6297CCC1FA,SHA256=C96534ED42A7C1328D74358354E96B3D402DF53480CE26551C74D28332575BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:02.164{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80369B5C991AA2AF5D17031759EBC4D8,SHA256=2211C907B53D1022976386964F1C66A0C40FE58CF8F6E491DE3D395BB5A61528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:03.852{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA744B3C917DF472DCBF49121D8C40E,SHA256=FA97D11FE604E4D1EE8848C3C559D023F92F95B21F3E954C414648AD32243B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:03.931{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E60A6793EF24FB2B3F8FB7BA39D3735,SHA256=A4EC5365CC371FCD65FB0FA28F537508A447190FAA59B398C2E7A55E60C88EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:04.932{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DFF00235A2E3C41009D41C02B3EC002,SHA256=1797993C684B1A8D5572D33B8837A101140FE22DF02ACE06993E385575D3B5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:04.868{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081837EA4C0AB4BBF93831DD3891DB90,SHA256=0A1A603C9BB3D490E17E2F1F5E275E05C8A44E923029DCBA595BFEB971E3E605,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:02.702{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52827-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:04.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233FB347241BD78BDC06D7B9966A53ED,SHA256=F6B0FFF266213FBC51B1EC30C4F57D2B2FB63120B4E0CCFA416AAAAD655E1C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:04.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD772F8B8603854EE11319293E892509,SHA256=9EB5999FC43D66FBAD3357200DF45E9014C397DDE0AD632FB88A6AA9A444742E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:05.962{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C98E3064692F0366E14D261AD285AC,SHA256=BD7D8B537675E9BC25842F8D6878254CFEF40099ADE4D617F635D963F579B347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:05.868{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05232A262FF2D1D97E66EFA339D02AD0,SHA256=D1F56E716B915A2CC2E83D9A8995FB4479A98E5D179B679D1B0D09029AF30B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:06.977{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470BCE20904A1EB3B7524B306B88A469,SHA256=5E8AF60E81F35F9608CDE71D199C96CD187EFC8822D1DDD303F8224C7F5E1FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:06.872{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0F077FD0451B48836CB4E28BEA91C48,SHA256=62B9279B408C0172786731FABDC63281895956D8A6AD3336699C5A432B0BD771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:07.904{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF48192AF25063A7B879404922A6D53,SHA256=59B8FF9AEC859BBD601471BDDE500D456F96ABA7A48A6D51DC030C3B68E1D5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:07.977{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFB026A42641A5AF7325CDAA9441B59F,SHA256=E62CDFD711F19D07CB54AD9B13BDDBCA51AFBEF2E324EA393C4DD5B329CF7B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:07.529{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=328C13A8F02C35160C3BE51E5C5C08C1,SHA256=E474546F7DF7EC7E369B0D192770646FBEA1C0901A47BEAE59A543FDECAD5D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:07.529{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE19657DFF9E3A5F01C2AE6297CCC1FA,SHA256=C96534ED42A7C1328D74358354E96B3D402DF53480CE26551C74D28332575BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:08.982{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9722FD30A8FB77707794FCB625E122BC,SHA256=1F47C242D4CC61CC4E46FDB3419799F01FA2D6B1F709C5D5A8F74BD37F7CB855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:09.513{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FC41617BDC749AD90D5C55E4336D762D,SHA256=BF3ACEAB00422BC5C71B97820B9672CE69F22E410699099066CD50B887B937FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:09.247{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C791715F27204874C60443F108995D14,SHA256=22132A8DE259640370D6C4F695E32F9A4DD0C0A2D0393A8F74D2BA34682EB332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:09.247{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233FB347241BD78BDC06D7B9966A53ED,SHA256=F6B0FFF266213FBC51B1EC30C4F57D2B2FB63120B4E0CCFA416AAAAD655E1C34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:07.338{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51232-false10.0.1.12-8000- 23542300x8000000000000000674886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:09.009{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46828E458F45D2A58F5C7DF498702124,SHA256=7B5048AD05F12534DB5BD252980737AE57396BF78A269E4A241E36607517E05B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:07.878{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52828-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:10.044{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80846D899BC3D0AC0016F113E386DA6,SHA256=4F3DD8D5596F274EFE65BF256A799854A0FAE03134EC848EF1212C4469EB68B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:10.027{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EC92BB3110C44D3170C4E6AB32B0CCB,SHA256=875AA098A8DE5F0DD21EFAAAD2603C7DF2438853AE72203FD7A504956BC57AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:11.060{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282C714D92C428F14978EE4AE1F314DE,SHA256=713C7D798E392C7ABED9989558342320BFAA92393E5DD2946FFF5E086159699B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:11.042{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE16B21EBF09477F8DDCC12D86EB6F4,SHA256=5154DA00C7C20B968BA988F1FDE45A16B3A166A792A6F289354991DE7CE77B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:12.060{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE32B26E0B9B6E115B09F395BCE6AB7,SHA256=7171660836E9A5A4D4B5523D30915FCA1D897EE7419F24ED2ECB059BF7301BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:12.073{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF3F40027731B77A7571623EC590B6E2,SHA256=9FE0972F70B694608ACA84FA6A96D9547185E6B1D0DE0351EC7529A3C1CB1114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:13.076{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB573DD8FD4869784EF2D7CBF4AB2544,SHA256=93658C470D187E9668748F224047ED729112FCC15BFEF8E22891DBA08E8C709B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:13.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA3ECF7DE37B7D32665DC8CD702520C,SHA256=307C3E4BB663152094B52AD8BC23198CB13D000962D53CF771319B05961A42B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:13.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=328C13A8F02C35160C3BE51E5C5C08C1,SHA256=E474546F7DF7EC7E369B0D192770646FBEA1C0901A47BEAE59A543FDECAD5D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:13.105{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2EB90EDD5781F9B37FBE3BA562A202,SHA256=B6DAEA81EE2BA72A11526A0A3FC1202B0A2046193889BA09F85E48E6BA10E3F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:12.387{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51233-false10.0.1.12-8000- 23542300x8000000000000000674894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:14.140{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0F6DD5625C40339D732BD52AAAE15B,SHA256=487A361E2AAF95CA68D889AB1E898B5E9B4617417477AD4AB0604E39DA495675,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:12.879{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52829-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:14.263{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C9B75885012CBAA0F32B89B2D202A1,SHA256=9E095B2E20CC32642A98417596524E4A26E459CA8BEAD8A9F6D7B55BC4DF8153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:14.263{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C791715F27204874C60443F108995D14,SHA256=22132A8DE259640370D6C4F695E32F9A4DD0C0A2D0393A8F74D2BA34682EB332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:14.091{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305C60803EA81BC94522CD9F88D49903,SHA256=C0E52651F60124ED1668D319B7500F641709A56809B214F324625A9DC4F68754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:15.107{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668AE896F3510226076F248BB7776863,SHA256=414237CD121288DE71D51A15951A3559132BABB5536F78E39BF1C543CF8D98EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:15.155{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A65AB01E4266F4A2F19689E77DAB39,SHA256=28D61F1E11886384416037DDC34BD55D5832B22D7BFCB5FD9AC80AE6A6AB75B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:16.169{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDCD798E1DCA4BF3BD7FC30B7EC2A07,SHA256=A0AB2C5B658FBDE1A12E9333EDF8FCA045DDBE5D62A56B78AF24B9143DD59BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:16.170{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BACB94BB9A740BB70FBAA54634A467D,SHA256=5C741F0DC4C442C53E8AF580AD195E5EE2F815A012D318135E3A2DB61AFD5E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:17.216{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39018A64B6B4ECCF6C1AC4C3ADB5109D,SHA256=E7194DA93A5F1B84763C4B3370BCB2E89BC89D4F7B1C958F9C2B23DAA191CD06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:17.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA70B0CAB1E8ABD38D42F7B9931D049,SHA256=06F973CDB2CBF8A1B232E8C881E06491988D13364C797B0AD8A10FC51584485E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:18.216{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B79BFF34EC8BAE5D7419BAB958BD069,SHA256=554B9454393FCC6DE44873893482F8FEFCE43A416519470DBD124CD4FCDEAC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:18.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68825921B14D30FD79DA28C94C644CE5,SHA256=E5095C3575068BA807DD0B95E699A337BFFBBCBA4830D1EDDA16193CF9805F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:18.208{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2883BDB2A3FF2B6CAC7896D3E029CAEA,SHA256=4FDD1E07ADA071C51FCB1F031892077A4B2F64D018DA4052354AF7AB0BDD7E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:18.207{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BA3ECF7DE37B7D32665DC8CD702520C,SHA256=307C3E4BB663152094B52AD8BC23198CB13D000962D53CF771319B05961A42B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:19.240{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE2913AF43C135CBD273E7F678D44DB,SHA256=C9D8A2A50D6B384ED7B3AFDBE19780F1E95F680F82109C50193B705019C2826D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:19.247{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B185FA690BDC49C5F0DDE7DFC013D5A,SHA256=51A7EDE72F059306511C89A2118E008EF9E6D939E353A166370DA42A814CD6A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:17.446{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51234-false10.0.1.12-8000- 23542300x8000000000000000573285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:20.263{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EF005230DDAA24323F0ECA8BE6A1B4,SHA256=EB36BB4F0B561892832D08D6F2CA0CB47CA114CDA705458C30FCAB321BC0ADAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:20.270{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29F73D2F35D1F8CC15D5F3E33760957,SHA256=44DEBBB7FB67731679D6904E1DBFBD3F07353B57FA59640A150E6AD395378985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:20.201{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3F5AACD0AC14433CA3C063E6D71CFE,SHA256=3A3430AB0A732DC77D9198DD500125E130DAA5B9EADF63FB6930080A2C0C9D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:20.201{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C9B75885012CBAA0F32B89B2D202A1,SHA256=9E095B2E20CC32642A98417596524E4A26E459CA8BEAD8A9F6D7B55BC4DF8153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:21.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6036D5EF6DC9EA645DFD6B9F7571AC73,SHA256=C874BD6CFF0157D42B4E2BD0099FB5DA5CDA3458FC2A918172CDAF57E5233BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:21.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0F693D5E11734992168FC1C9375AF1,SHA256=BEA6215F1D9DBBE147AD0627ED173FAACEC9A9C3D5A5FD8C2124FA4EA9D3FEB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:18.785{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52830-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:22.310{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A5F963BED25B3302995713BBD6362B,SHA256=BD56AB586069EA3F7F83CADB9DCB61842E0E164766E2F81CC16C7B1DE7A0F018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:22.538{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2883BDB2A3FF2B6CAC7896D3E029CAEA,SHA256=4FDD1E07ADA071C51FCB1F031892077A4B2F64D018DA4052354AF7AB0BDD7E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:22.353{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF709BF7B8250367B96F8A3BF0E9A6F7,SHA256=92D4475016669C893C078D944E45AA4F91B1998E38326084483678C315902963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:23.368{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1F3B4D65E6446FA01E1A49FF463E3C,SHA256=1D781070FDE6CCF2BF5C6856EC5F7E41DE58643890226ED7B125C339C42EF2E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:23.357{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3E8B8D656B3D633F1EC4FB163677234,SHA256=1CE2FCC6B98CFBA3CE1F3BF20A475A053DEF872C50454B86C990A4A8A8A96D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:24.388{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C8CAFB35F1BC5C4811FDE42872C7D0,SHA256=2EACDF31654D25AF585825E335B7FCCCD0E60654C3F6F9791BC4ED39F014BE3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:24.603{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2FAA59A8ED12C04F4E969869A7D13AD5,SHA256=556CFD6C33782637BD3B118C89454D02282FEC7A0D7F7B8F09EE877A4705AD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:24.602{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A801ED9F441759DDBD0EB8366811C57,SHA256=5BB2C3C0F534941BB5EA07B7CE991D7F0264679A9B7D751E665765297F332DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:22.467{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51235-false10.0.1.12-8000- 23542300x8000000000000000674909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:24.369{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6516DC17C050C7098EE63BA533B7CE3B,SHA256=244D419C93C6E2B29B81D809388B30CDDCB3CAB32B88AF99550B6965F6FC6A09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80A9-609D-1251-00000000BB01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80A9-609D-1251-00000000BB01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80A9-609D-1251-00000000BB01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.810{E1BD9FC2-80A9-609D-1251-00000000BB01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.419{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF31D8524919AF3D3A6312B4B219CCF7,SHA256=1F9F711E855B49CED197029D7E7706BD07C18B02233425C884B26329DFC241BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:25.370{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F44D9F4A5FB81CC6BA97FBCEEB18C0,SHA256=4B6B345D6964BE67579C7EB4342A6BA3F723C94DF4143D098362098C07B4E3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EAA1960DC22B438C31D8437C7C00CE,SHA256=FDCB398863682870D56945B585DB9FA2D57E52D823E1C0853CA0E486550234E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:25.341{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3F5AACD0AC14433CA3C063E6D71CFE,SHA256=3A3430AB0A732DC77D9198DD500125E130DAA5B9EADF63FB6930080A2C0C9D06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:25.339{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:25.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B921B2068290AF9C0ADFEE9BF3CEC5C,SHA256=2ABC090B1DC1811E4A79B4A45E7FE0E26D81CCD533F43D78CF1363E48DAEBE61,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:24.499{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51236-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000674918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:24.499{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51236-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000674917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:26.403{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2264B33FF90B969828687F6B5665C866,SHA256=5456DD053F71B0A22690806E94C0219C97D24990F1736570721AE8C84BB6ED11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.822{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94EAA1960DC22B438C31D8437C7C00CE,SHA256=FDCB398863682870D56945B585DB9FA2D57E52D823E1C0853CA0E486550234E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:23.894{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52831-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000573320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80AA-609D-1351-00000000BB01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-80AA-609D-1351-00000000BB01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80AA-609D-1351-00000000BB01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.482{E1BD9FC2-80AA-609D-1351-00000000BB01}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:26.450{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBCBA7C9C24E5102F5E21234BB45956,SHA256=6698BD5F6A00B4813A0D819819BEDFE83BE8BB943274F8C5079CA95653EAD71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:26.370{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1C273A5DABC68CBC18A35B5637935EA,SHA256=9A8E0A85CDCE378F26B2A9B9E750F9BE43987C1F8455BF40E17B30612ED94C3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:27.554{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DABA30718939413CAE02B90E231B348B,SHA256=F5BE323E336EB0B4846B878F10428695A92A19693947D96BBEDD8BBDD258A4E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:25.569{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51237-false10.0.1.12-8089- 23542300x8000000000000000674920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:27.438{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D913808E3A80909453748FFD94286E3E,SHA256=D6A872EC3FA2E52A35FF29FE0706BC9A5752BA05695F373A20CA3E65FE85E488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.525{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E362F81909A228C64CF51B4527AE6317,SHA256=CFCE05E483031E5800487E3A6120E3DE43524C9A3998C74801CD0259969E0A29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.291{E1BD9FC2-80AB-609D-1451-00000000BB01}27844088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80AB-609D-1451-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-80AB-609D-1451-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80AB-609D-1451-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:27.166{E1BD9FC2-80AB-609D-1451-00000000BB01}2784C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:28.525{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2055F6C1C9EFEEE9D2C7C5B5F601AD72,SHA256=D6D73EEF04A0323AC0BDF899668430E831F56E142A6813FC3EBAF8F3821017B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:28.453{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D520ED31FD6AEAA0DFF891C5552AD93,SHA256=6DD8EB7ABB34AC3AAC9522A4478750D9A0916EB11CA185772FFB6002F124CEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:28.228{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCDF57FCA049C2A29EB4773CE077FBE8,SHA256=DB0852B2C4AD131BB768E8CECA9F585A8F4FE3E84D295DB802A15CE8379B89BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:29.916{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:29.541{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573D45235C90F9B41BC11D8417C4DF0C,SHA256=3A72C17D64EAADECF17DF5AAB3562417F8DE895722406E625CF266A26CBE9862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:29.484{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606789BEFC5C423646EF2E132AEADBD6,SHA256=E3C5421DFEF685880FBFAD872AA14C3DB5193EC6A2AD8C26F9E70D6513621131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:29.121{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06DDF6353EB320D1FD33D4B3A178734D,SHA256=F2EC12C2004B9BC3E957EEF52DB56BAC8FA5DAABDBE0869E523691D1A1A720D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:30.963{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDBBF28E9C9A02C1B3D879F8E3917E36,SHA256=DCEAF64D7479539F4E7CDC3789B97713A89A8F5A209D9143599F614F50E0B4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:30.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA7BBE5C536A4344A072948729646743,SHA256=13857CDC4D52D404AC473322338A9C4AD6C11CDD7379FD794DFEB45DD7921F77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.502{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8061AC4E1385AC9956AD33A84489793,SHA256=39AB49554F72BC919C9DAA9F79B48B528C10084FCFC0DF3ED2029F31F83424BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:28.329{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51238-false10.0.1.12-8000- 10341000x8000000000000000674932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.267{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.267{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.267{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.251{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.251{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.251{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:30.251{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000573345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:29.531{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52832-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000573344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:31.587{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7784EC4AD7BDC0393136BC2040015EC6,SHA256=FFA223B20325ECD203D8CEAFFD5DCD0C82C6FBB6F05259D6163DA221F8125E94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.966{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.966{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.966{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2756-00000000BA01}6584C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.951{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.951{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.951{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.951{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8034-609D-2856-00000000BA01}5056C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.519{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CCBABFB2472C82A5773380C38A78A39,SHA256=CB518EF526053E9D801C5D3D2D068DD7F14D8E40FA70DA8360E3380964A7D495,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:31.266{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF7FEC7DE6575C9C1EDEF4EC3A5CB46A,SHA256=5F33F9727901DF04464304A5CF3E9EDF11E9693AF2C77F2DF0B0BD48A2223EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:29.703{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52833-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:32.619{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B793282F22AE341DEEFF6B6ECF52CD50,SHA256=49492D2255A23C198C9D16E23E81B1561E7306715EB80F5CF3C3C8F34F6930DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:32.550{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E85A9B4D1319536EF0058F5FE1B4EC,SHA256=52B48B07CC0F4DA6460F4D569ADEAA3BAC3E590ADAA09671DD7F7221FBBB0BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:33.619{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0B8045702C92BFDC56730FA1D0CC38B,SHA256=3A634D7AA4D3E1BDE2F846166D30A43FC7574E559CC6219E09EB43EB73A79384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.580{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A7DE60B9323E99CC6A794B1943ABEE,SHA256=018A58D92C3A4A8F873B35B3076E08969ED91A244706C0B087AE5E6961616C8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.318{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.318{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.318{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.318{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.318{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.318{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000674945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.302{7B03F3B2-8034-609D-2756-00000000BA01}6584ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveMD5=B6B6E2D0F18BF73CC0145524D1EE7147,SHA256=015825892916BE2C84E6303300935FCFA145767F0955AE10B717C7D7175277AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:34.650{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389D245CCF94FDC005087937ED388227,SHA256=AA74A040A85584E7A1ECEBF14ABB14EF3E3BAD6A8461612C5E11BD4E61D50786,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000674997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.982{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.982{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.982{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.982{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.967{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.967{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.951{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3D56-00000000BA01}7840C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.951{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3D56-00000000BA01}7840C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.951{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3D56-00000000BA01}7840C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.935{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80B2-609D-3D56-00000000BA01}7840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.935{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-80B2-609D-3D56-00000000BA01}7840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000674986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.935{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3D56-00000000BA01}7840C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.882{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000674984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.882{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000674983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.882{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.882{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.851{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000674980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.851{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000674979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.851{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000674978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.851{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000674977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.851{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.851{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0D00-00000000BA01}9125240C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0D00-00000000BA01}9125240C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0D00-00000000BA01}9125240C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0D00-00000000BA01}9125240C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0D00-00000000BA01}9125240C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0D00-00000000BA01}9125240C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+1644|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000674964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000674963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000674962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-31A0-609C-522D-00000000BA01}18765896C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-31A0-609C-522D-00000000BA01}18765896C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000674957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000674956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.836{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000674955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B148DF4608FE00D793D0C1345BD172E,SHA256=29AC1903C5F56ACC7C4E89E556BEECC45D8C44F3B104087927846FAAF84AA7A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000674954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:33.345{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51239-false10.0.1.12-8000- 23542300x8000000000000000674953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:34.121{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD0400D32A70BF7043DE6367B26BD579,SHA256=A64FD07BD6E74CB4A3F96DA1DF2CE1D2DCB8447A07E1D966D2CD90A7585C55B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.823{E1BD9FC2-80B3-609D-1651-00000000BB01}33043520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80B3-609D-1651-00000000BB01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80B3-609D-1651-00000000BB01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.698{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80B3-609D-1651-00000000BB01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.699{E1BD9FC2-80B3-609D-1651-00000000BB01}3304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.667{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D501816C0A02CAD3DA6F53A734183C,SHA256=FA501C355DE078D769FA09C02F08EF026B844B091108233CC410E77ACD776BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:35.920{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553524A0FD0CC88AF374BD94A3679FF8,SHA256=366D2554A0759FD6E83DDD19C6FB8B27E6CCF10F91602DE457C424F585A4856E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000674999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:35.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496ACC8777132BDB451FB036902E8712,SHA256=BB8EC76149EB755B4492B60C25DD2410DBD63073786B149FBBC533FFF32B87DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.151{E1BD9FC2-80B3-609D-1551-00000000BB01}3323792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80B3-609D-1551-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80B3-609D-1551-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.025{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80B3-609D-1551-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:35.026{E1BD9FC2-80B3-609D-1551-00000000BB01}332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000674998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:35.068{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9D378F00634CE0B2C2317D9B46A1EE,SHA256=DBC7DCB79D79C6A1DC64FE4BB5BBDF0C988AB14D79C593F6CAB57A2F7DCA8064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.990{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCD4DAD0C86F3F75A3D99AFEB92D324,SHA256=67D2CD477576CA0A2905C35A4F28A7641A5B391BFE48BA6742D93C6C39369865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.974{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04544D333F7BB261AFA6D3BBC207579D,SHA256=D05508256D0C32F7007CC03C827EF4AAC6DA914DE4BC65C762871302C97B81EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.904{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.904{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.743{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30D15FDC9309DC6D46F6A3BB3F0AACB4,SHA256=72DC2E739E4DB6C67939DC9B8EE7BA78934C44D8BE80504CF4F1154CEBA7B8CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.904{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.904{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.904{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.899{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.899{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.898{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.898{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.898{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.898{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.898{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.897{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.868{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.868{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.868{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.835{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.835{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.835{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.835{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.835{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.819{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.766{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.766{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.766{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.766{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.751{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.700{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.700{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.700{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.699{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.698{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.682{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000675050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.604{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D043890231016288AFB53257CD61B0,SHA256=0374B93C19E914D19C64EFC927E2A4C2F2C45C015DBE1434AACA51E62E39A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.599{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4E993C003BE5057067E9DFB7B67C32,SHA256=C8A7B1723E92D53D55E060EF32E4FA250ABE76CFCB8ECCA842BCADF6B7AFC313,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.493{E1BD9FC2-80B4-609D-1751-00000000BB01}34921656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80B4-609D-1751-00000000BB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-80B4-609D-1751-00000000BB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80B4-609D-1751-00000000BB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.368{E1BD9FC2-80B4-609D-1751-00000000BB01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.026{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27BAFCFFE551D3F94DD8D77BE97540FD,SHA256=5FF874DEA1736370FB60778F3733F6D81158D5DBC026BB34E02D1DDFA5336A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:36.026{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CEEFE61D372D111621E1269FCE2D53C8,SHA256=458C1F15E98959534563597786F30E6E35680A347BD75DF61A1A03122CAAC35C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80a24 10341000x8000000000000000675047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892 10341000x8000000000000000675046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892 10341000x8000000000000000675045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+9a0e|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.566{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.535{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.535{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.535{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.535{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46083504C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.520{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000675022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.482{7B03F3B2-31AD-609C-632D-00000000BA01}4184ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4U4R881F\microsoft.windows[1].xmlMD5=3059E48CE0F590DAEB5439BDEA3A09E5,SHA256=C4BB23B224DF5A9FDD20CF708D5EE467DF14C8EEA36EF9E0169E305D6A45377C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-482D-00000000BA01}46087860C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-482D-00000000BA01}46087860C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.451{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000675012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-482D-00000000BA01}46084168C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000675010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31AD-609C-632D-00000000BA01}4184ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4U4R881F\microsoft.windows[1].xmlMD5=F8BD47944A348134CBE5171B0FE02BB5,SHA256=0B9AAF7AA18DFFE09B6C788D6928BADEA83BB441441C6D428E83A53EE91A2DF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-522D-00000000BA01}18766596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-522D-00000000BA01}18766596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:36.435{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000573411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:34.734{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52834-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C5095BF3E42328BB2C13A52C9D7DE4,SHA256=40CE5941DDB63BB14A77277140FF22BE8F764B44C80390F657A2661E11DFA217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.519{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.503{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:37.403{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.199{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.198{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.197{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.182{7B03F3B2-319D-609C-402D-00000000BA01}2288452C:\Windows\system32\csrss.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.166{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.166{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.166{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.166{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.166{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.166{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.168{7B03F3B2-80B5-609D-3F56-00000000BA01}2588C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x8000000000000000675115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:37.151{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXEHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {6A283FE2-ECFA-4599-91C4-E80957137B26} 0xFFFFBinary Data 10341000x8000000000000000675114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.151{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.135{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.135{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.135{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.135{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:37.135{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.385{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27BAFCFFE551D3F94DD8D77BE97540FD,SHA256=5FF874DEA1736370FB60778F3733F6D81158D5DBC026BB34E02D1DDFA5336A22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80B5-609D-1851-00000000BB01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80B5-609D-1851-00000000BB01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.039{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80B5-609D-1851-00000000BB01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:37.040{E1BD9FC2-80B5-609D-1851-00000000BB01}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:38.744{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02530FF8457B5F17D5E57F91245DEA99,SHA256=745D3F8313BC3A3CAC78C80EEA03C98976C193E9850AB497596ADBFD9EEB30E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:38.180{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6AB58EC8DC3745DC5AD8E06F584188,SHA256=9506ECEB710FB22079654425309C26D149F6F8C16041C58C3758DA98118D600F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:38.134{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1B124C0DC025DE5B7A546884B04E7A,SHA256=61CF03C68413EDA0EF4CFF830596FFCA23FAB7680454AA5AD62BA300E2614FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:39.760{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305F6D7DB6DD7809EF1AC9665FD17F55,SHA256=A4A6CC1125058BDC53A514CE4BE46C89AE985DD2C4E00A9E64E668C2922398A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.948{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000675192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.948{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.948{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa7f50c2.TMPMD5=346300475E448CB8C87FA70FBB77957C,SHA256=6E1B0925EC7B732FAB1C67727204BF1339A3240893B5B49D14944A94705CC7A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.748{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.732{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.732{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.732{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.717{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.717{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:39.679{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.617{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.617{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.617{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.601{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.590{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.564{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.248{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5AF4D1A1A4E95FF814F3F83631CEB9D,SHA256=349A99A1CE3C9C196E5EFC585666090E6E92D791F63D2601BD38F91CB12B502A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.148{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603004AD25BD4B7300C6A50804DBF7F7,SHA256=F81A8E22B408B056DDFD199753163ED15C54986B5BC320DDD045754A3F723713,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.101{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.101{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.101{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:39.101{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:40.775{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8AD1C9F3A00710C09D66F79D3A5EF3,SHA256=402938130E621DA12DCBAC663F784F775EE56E8D449E1560961AE2A654D6C0CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:38.463{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51240-false10.0.1.12-8000- 23542300x8000000000000000675195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:40.447{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D0396C1457F542751BF6E766C8336C3,SHA256=4B55628A9F64CFCF5FF55A11A40C0B34AC5A868C8981D276779E94CF683403AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:40.416{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32947E688E1AEFF58A6BD8391DE97DCD,SHA256=C2552A4C578A3FB632A9CE446064E072E9F49E3914343546F2A2A2B24F08E8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:41.806{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F365964C24CC860F7457452D75A62590,SHA256=BF83DD4396DDD23ED6598CFFB9564493989D6CC118D6BFA38E6439393475F9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:41.961{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000675201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:41.961{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000675200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:41.961{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000675199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:41.961{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000675198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:41.446{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B96B3B80FEDD510B334AB6DCE142C88,SHA256=0B075FAA1C09D27E9862A7B540AB7B4B27685A4A2CE04AB50C1E99DCB8AE50F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:41.213{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A46EE035D72B84C2461E728B912DFF5,SHA256=FB71B66586904E8900B5B8301449830C81B1ACCDC6E74D8CECC1D5937ACF9541,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:41.315{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80B7-609D-4056-00000000BA01}7692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2e0d|C:\Windows\System32\Windows.UI.Immersive.dll+71a5e|C:\Windows\System32\Windows.UI.Immersive.dll+71e8c|C:\Windows\System32\Windows.UI.Immersive.dll+71a3e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+277f4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000573418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:42.806{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79E172C515ECE6288E3A97B22066DCC,SHA256=DE70A33C5CFF63B1AC77C802DF4BFEEA8135C72A59C9AE12D5CB525869176A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:42.576{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AF9AFB89596608314703F369768CBEE,SHA256=39960CB1C3D5EBD018664BA8969ABB8C67D974A08A3835DDBAB9E9E1CD7040AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:42.461{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E5F0E49934CA6ED70BC19A69181C7C,SHA256=C5E6458B949C61ADCB7B856E8964F1AE0D15A4A81D84F700A6E2C788AC755427,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:39.812{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52835-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000675209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:43.497{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:43.497{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:43.497{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:43.493{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:43.475{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9C96810AE7922725EE4E3105767BF5,SHA256=B3A02C5AC0479C08E463351C815208527241D0E6B0D719AEA04E4E64CFFCABE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:43.853{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F644CDA857A0AE97802D6FED6A254689,SHA256=75C954949E02A95DADEC1C6C90CED55125C749BA9777165F27932C15225B9BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:44.885{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D8E916A2021C721DD3CF819074031F,SHA256=39D6D9CE9EC00BE5C8481227A9EAB8C4B213A0194E574B1C3541E422CE161990,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80BC-609D-4156-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80BC-609D-4156-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.927{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80BC-609D-4156-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.928{7B03F3B2-80BC-609D-4156-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.859{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE00AE89E4B1F4AA396B210F164B5817,SHA256=8E182DE42E2D69C3251E547C97630EC704A103DA91B0A01B5F5BE6561F2D283E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.543{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=112BBA989D87FDB37EAA6BD15022DF6D,SHA256=57ABCB16583C754D80D6D852E01007C77CFB665671A03669F770D392E94E64D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:45.916{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943905DA4FF64C69C975A059D8673428,SHA256=0E0C67D6CAF8286BFC10FB13E5AB18412C1348F164D8F593781B4BD8951F2DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19F7531A3351E5F8A9A136F7C6F45A3C,SHA256=0E8A15D377030876D3712AE789ADF8B1D784EFA7F94405ED84501BC5E0FD7F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.758{7B03F3B2-80BD-609D-4356-00000000BA01}56003352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.595{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80BD-609D-4356-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.593{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.592{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.592{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.592{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.592{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80BD-609D-4356-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.592{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80BD-609D-4356-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.591{7B03F3B2-80BD-609D-4356-00000000BA01}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.543{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB7225FED710DF0EDF5E62FCDDEF327,SHA256=8F1110B2C1ED36F06B5B88B295EE34C4796506CDF10D42102D7A2279E764762D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.460{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.460{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.460{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.460{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.460{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.443{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000675252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.392{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB618D57E1ECF06CA89C3655F3BB5EE,SHA256=4EE03834C8EE0932E18BC6288F71F40220800E34964AB82CEB9C62D07451805C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.296{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.295{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.295{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.228{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.228{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.228{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.228{7B03F3B2-31A0-609C-482D-00000000BA01}46082848C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.228{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.228{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80BD-609D-4256-00000000BA01}996C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.212{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80BD-609D-4256-00000000BA01}996C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.212{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80BD-609D-4256-00000000BA01}996C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.212{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80BD-609D-4256-00000000BA01}996C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.197{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80BD-609D-4256-00000000BA01}996C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.197{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80BD-609D-4256-00000000BA01}996C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:45.174{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000573424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:46.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A31AC47C63BDB2E3510DE9D1D1E448,SHA256=04C035ECDBFCE34C48D3B3CC299A2741D470A6B961F1DF5152942916BFE556B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:44.489{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51241-false10.0.1.12-8000- 23542300x8000000000000000675285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.642{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=714734AC9D9EBB4FFC6F47B955A050D5,SHA256=8277EDA3E0312C0F1EED0829E578B66E06F9D165482B4C3D699432E54F5E1976,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:46.213{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF546F10ECB85173FAA503755D26ED7,SHA256=DD04864ADA54065187060C60BFBD3880068CF42481C555871EB521D0CCD09276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:46.213{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E42560CDEF25DEF458FC0846E46A156B,SHA256=EF3E72A63AE120A830E9762DD7397F87F8D14909A66F231964039689FE1339AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80BE-609D-4456-00000000BA01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80BE-609D-4456-00000000BA01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.211{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80BE-609D-4456-00000000BA01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:46.212{7B03F3B2-80BE-609D-4456-00000000BA01}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000675306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.956{7B03F3B2-80BF-609D-4656-00000000BA01}69168136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80BF-609D-4656-00000000BA01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80BF-609D-4656-00000000BA01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.756{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80BF-609D-4656-00000000BA01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.757{7B03F3B2-80BF-609D-4656-00000000BA01}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.656{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB41DAA54A7790BBF37D01A44CB2619,SHA256=1BFD01D2FFF89D2938ABD72C73478E1105947D947851D1794464C67185150891,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:44.812{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52836-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000675296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.441{7B03F3B2-80BF-609D-4556-00000000BA01}43645392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80BF-609D-4556-00000000BA01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80BF-609D-4556-00000000BA01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.241{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80BF-609D-4556-00000000BA01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.242{7B03F3B2-80BF-609D-4556-00000000BA01}4364C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:47.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8766449342CB5C01967A960A348E1D7,SHA256=4A052C33916E4C5A0A6FEEDF7F657D8C56A29C816255ADA8396F04C13AD5640F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:48.671{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74F5FA438BA2E86258B95831F7EDF03,SHA256=BDC513BADE02931DAEF29163AA10F86989FA9131F1222C0C5E2A4325CFBFE7B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:48.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DDE3B1E9161EFF3967389208CF617A3,SHA256=F60A097370981DD952B15E88513575D02023FF1CA5249F37E0B1F12817D8FB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:48.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C220C4CD6C6E40304B811D4C676307,SHA256=6BB80E6B1283BD6E015B32D727AC0974422C760F7090B97C5D617F8EDB5FFE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.839{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA482B84711A441EA691B2AAFBE17C9,SHA256=30AB6159D74B7F3BC1A37DC00319F22F1A51791C045E68C69D873794906F020C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:49.071{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFC4898BE2886CFDEC62B6DC99DFC69,SHA256=628ED26726C1BCB6A0BD0247A890E1AB7EA48FA19D4430DF0E2FBA877A41473C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.408{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.408{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.408{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.408{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.408{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:49.371{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.324{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.324{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.324{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.300{7B03F3B2-80C1-609D-4756-00000000BA01}5876C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.288{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.288{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.287{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.287{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.286{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:49.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:50.992{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.970{7B03F3B2-80C2-609D-4856-00000000BA01}21085792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.939{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.939{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.939{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.923{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.907{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.907{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.907{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.907{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.907{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.907{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.908{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.892{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.892{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.892{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.892{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.891{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.854{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70BA6B15FD8D6B29B8D7BDF9E07BEED,SHA256=DBC5B40798E6C15D86C6D23F3A9FC53CE855A4C7A1F9EE756AD72BA1378AE542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:50.071{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00A9B19DA098930486CBECC609695CA,SHA256=AE5562B92163733434462E9B7FFD532204BE1F5FA2BA0B8E718F77F5B1D84DD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80C2-609D-4856-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80C2-609D-4856-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.770{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80C2-609D-4856-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.771{7B03F3B2-80C2-609D-4856-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.323{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE6EF80225EA9CA1E20BB7FA498179C6,SHA256=2C178A95995BD425F72D12ABC7C114E653FA5E165A1DE518F6D686F368792FB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.039{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.856{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F2AC0FC82883E139B493F1F9D4FDB0,SHA256=278CF4732F1401F2760F4F9FD333784EF68B6A4E6301AAF53E76C64A70A3045A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:51.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6CC1F81CC016323DF5F4FDEF31128A,SHA256=9A325B2BBE921D983E1912D274BCEA317386B9ADA0C5BA8F9009B5F6715F7D4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:50.284{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51242-false10.0.1.12-8000- 23542300x8000000000000000675408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.672{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFE0E77FF6920D6F98C9C85CD1BDD5C,SHA256=102A64398733A952E1705B4125E1CF17872EE2B44EB8C7675CBC66D56108BDF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80C3-609D-4A56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80C3-609D-4A56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.425{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80C3-609D-4A56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.426{7B03F3B2-80C3-609D-4A56-00000000BA01}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.410{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=402FC97CF590BF30054E8F027BBAF3F6,SHA256=D5CBC3611477C46B0E4AFDEB9181D13FC32825ED602EA392C965A22893C6135B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.039{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.023{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.023{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.023{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.023{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:51.023{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C2-609D-4956-00000000BA01}6892C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:52.870{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748F80367506E5A762B2846A9A9B78E2,SHA256=C69270D5F610B2F0F684C00645BE3671D899E9B6F472E96A57BC91DC4F722545,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000573442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000573441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a77e7b9) 13241300x8000000000000000573440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74827-0x806a52b1) 13241300x8000000000000000573439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0xe22ebab1) 13241300x8000000000000000573438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0x43f322b1) 13241300x8000000000000000573437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000573436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a77e7b9) 13241300x8000000000000000573435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74827-0x806a52b1) 13241300x8000000000000000573434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0xe22ebab1) 13241300x8000000000000000573433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:40:52.930{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0x43f322b1) 23542300x8000000000000000573432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:52.243{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BE5E656FA689657629E619C3818302,SHA256=D13182746EB965D9B47526009B2C2F641AE69528A4B9A78C322F69CF8CB4E233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:52.243{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FF546F10ECB85173FAA503755D26ED7,SHA256=DD04864ADA54065187060C60BFBD3880068CF42481C555871EB521D0CCD09276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:52.149{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4006D12BB287F562126F05BD90EAE04C,SHA256=DD16639E848600320B3251D40801E6C4255FE8A8F8D3BD253F92168F790F1434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:52.490{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F57772AAB0BAED059BE85F8BA9233643,SHA256=8828D783BC178DF1C27D7D924197CE66753F2CAEA374328F5461792A42E855C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:52.393{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:52.393{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:52.393{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:52.393{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000573444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:50.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52837-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:53.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BE7398EB62A7036C1637D7D926FC18,SHA256=7644AF23E731921A92339A4E07A57B1331B940C889115CF6007F024B511C15BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.754{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A345C613DF06E354D98C44DD39E55B0D,SHA256=2DEBD127A0A86DAA08324E0403FC63C7899E6FD5B1DB1DB2FF24081F75CA7614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.586{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=542531DF9CD9B92C924FE1DD4E2E5D32,SHA256=36271F157B3AB3A7C874DDDBC1D5A308D3F40574EA8D52D6BC81F734CB7F086F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.407{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\pending_pings\723ff643-547c-45fe-afe9-56e67c52036cMD5=7698B17C962D9B8484D947C2FE5D38B4,SHA256=C4FFCC1AE9BE3EE2FA0A537B87033BF995C645BCA4CBBD10992EEB24CD3C80D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.255{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=8F3F2E6E47D4E00BC62EE82F8458EE3A,SHA256=72BB9C5952B6EBECE922387947AAE43E83B37B15C3B18A66ADB87FD560F4A2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.255{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FDE5545D1843C2D3963929FACA9E3E25,SHA256=A5D8E250D7AC732A7FDBF5C953551C8887905D587795D9B6E048CE09171D42B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.255{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=33ECD76F7A56DA091886E536522D70B6,SHA256=E122B90D21C3C6801767D468FFE2D7C6FEB89FB84CB0C7AD8A3DEEB883A57155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.255{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7DEE3FD65C6FD56C47DF8EC2CAF04A1D,SHA256=2AFD39A95CCC1982F05F06D4F6034C56DE9A04C9BB308700D3B8FC741345F964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.255{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=85B2D94EFC6BC6ACD18399E2FACF8949,SHA256=68E49417167481CCEDF8358CF452CE32052872F631BE3C3B2BD877B4F1CDC6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.239{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=2D52E6A9863219AFCB05E6ECAB153EA4,SHA256=F4CBB2C59F7E45FA97A4124DE2C7EB67FF552571E857B3156878C25B36B05C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.239{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C409CFB951EDBE1B37A611755485664B,SHA256=52FDB9FF3E836B5D993CE163E57F2BA1D2CE9D83D6AF54D7FF0C42044FAA38C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.239{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0CC672FF88D124701944F5EE107894C1,SHA256=290FC7955101DDDB2BAAB270C8A7BBE2AEAF1000C6F4F0DEF7937DBA171F94B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.239{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=72F4AC2315FAD47296EC302C003B4794,SHA256=2654FAA06E219AD52CB450F44BBE08C6168F0BB319327DB85B71D830490414DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.170{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.170{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.170{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.170{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18767244C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18767244C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18766596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18766596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A54C-00000000BA01}2120C:\Program Files\Git\git-cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.154{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-3953-609D-A64C-00000000BA01}1904C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:54.571{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:54.571{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:54.571{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:54.196{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E630B353B67CC7B15C0735AE3944140,SHA256=AB86292A63341D4FF0D18DD96145B5C906D6B5DB57416460A96E09BF0CE71E01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.722{7B03F3B2-37B7-609D-644C-00000000BA01}5804768C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cea0|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f3|C:\Program Files\Mozilla Firefox\firefox.exe+40d80|C:\Program Files\Mozilla Firefox\firefox.exe+40a7c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.722{7B03F3B2-37B7-609D-644C-00000000BA01}5804768C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cea0|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f3|C:\Program Files\Mozilla Firefox\firefox.exe+40d80|C:\Program Files\Mozilla Firefox\firefox.exe+40a7c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.722{7B03F3B2-37B7-609D-644C-00000000BA01}5804768C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cea0|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f3|C:\Program Files\Mozilla Firefox\firefox.exe+40d80|C:\Program Files\Mozilla Firefox\firefox.exe+40a7c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-522D-00000000BA01}18765896C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-522D-00000000BA01}18765896C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.690{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.687{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.687{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-31A0-609C-522D-00000000BA01}18765896C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-31A0-609C-522D-00000000BA01}18765896C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000675446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.669{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000675445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.223{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A3F805730BCBE19FF0B9531F8CE74E,SHA256=E2C37F2980B0FD890BFA7C07299F3096F319C8E7ADEDC1ACF435FF52EFB52F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:55.258{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC7079AA5C78D41BCC317306D29DC4E,SHA256=B8EBC89B68C433BC2EB8BA2783E973E2DFCF5DED436CCCC47ABEA3042FE95A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:53.526{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local51243-false44.231.216.202ec2-44-231-216-202.us-west-2.compute.amazonaws.com443https 10341000x8000000000000000675546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.440{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.424{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.424{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.409{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.393{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.393{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.393{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.393{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.391{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.390{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.390{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.371{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44380027F7B39496B7523030BD837E8,SHA256=6FD1E15F7508ABC8B92672A900AFBEADFB73E6522B2EEF311C546E7ECE3E9FFE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000675524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:55.356{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x8000000000000000675523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.356{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=074C999128FF6BA8494EF0622F5BDA8D,SHA256=B2F65518CC31BA997A5027F4FCE488357D12C8F819DB3837128CA67B2D510F04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.309{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.309{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.309{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.290{7B03F3B2-80C7-609D-4B56-00000000BA01}4584C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.271{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.171{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.069{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000675488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.037{7B03F3B2-31AD-609C-632D-00000000BA01}4184ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4U4R881F\microsoft.windows[1].xmlMD5=B9740039D5A3CB933EFA99E270F6260E,SHA256=AE8E55769EDF580ECC7417943CCA62AF2066EEC6527D5D7EBE82577391DC8D2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.022{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.022{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000675485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46087328C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46085464C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46086020C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31AD-609C-632D-00000000BA01}4184ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\4U4R881F\microsoft.windows[1].xmlMD5=C8DF93EF80A9AB8E868DD59B323157FC,SHA256=9F247159F7557138AC165634ACA8D6378FDDDAB690E0D4DE5625BDAF1197E79E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000675473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.006{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000675472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.990{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.990{7B03F3B2-31A0-609C-522D-00000000BA01}18766596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.990{7B03F3B2-31A0-609C-522D-00000000BA01}18765596C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.990{7B03F3B2-31A0-609C-522D-00000000BA01}18766596C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.990{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000675467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:54.990{7B03F3B2-31A0-609C-482D-00000000BA01}46085840C:\Windows\System32\RuntimeBroker.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000573450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:56.336{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C939EE8ABECE02B179FBF5D50C9E4F,SHA256=5FA8C4C17656057283817EF6EE9063949303D0100E82D5E49DAE393F0D810B59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:56.507{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF82B641F3F4186139CC2F01117B733C,SHA256=77E2EFDDA35E731216B4048CCF8A0AE83D447A4E11E701C5D4D72DB447DE026E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:56.454{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:56.454{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:56.454{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:56.454{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:56.055{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4F4FB59AF015FB1DE77632D719DE2FE,SHA256=2E1DF92AD2505945BCB561FA9A4DAF3F2784487BF2DFF3B6A096A59B19A476FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.823{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D3EAAF1FA0532877082F214245C866E,SHA256=958C7EDEA4306402229E8DECB7850A70ECD55B19B58CFB68ADDF308A6B0EF973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.623{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B2E1E7BC0A21B7D763A45D2D38DF5A,SHA256=41D9AB2F2E1CE99CF2A8A7B2270243C076BD8DAA66DD83D9C9F3AF00326E9314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.523{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.523{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.523{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.492{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.492{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.490{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.490{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.488{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.488{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.484{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.469{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.469{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.469{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:57.352{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=104EB2082E089C68ED90AD0E3049A1D8,SHA256=739C69A4C86D821AB223EDA8AAAF507BAE8591CE9BF95F8E7457593A1D93BB38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.438{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.438{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.438{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.438{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.438{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:57.391{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.322{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.306{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.306{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-319D-609C-402D-00000000BA01}22885884C:\Windows\system32\csrss.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.290{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.280{7B03F3B2-80C9-609D-4C56-00000000BA01}6160C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:57.253{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000675554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:55.300{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51244-false10.0.1.12-8000- 23542300x8000000000000000675595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:58.470{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712F5F39B56D9366BEEFBDD795E3B86E,SHA256=67BB5A45C1BBB5330E35E20A300637BB6F0ABA0C924F4EDFD2D258F7EDF54092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:58.368{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B690125B4A025AFEDD79A69913A4C2,SHA256=6F881FB56436410EDCE4B8DB20952C92C7CD03122581CEB655907B601A6B8FCC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000675594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDBSetValue2021-05-13 19:40:58.254{7B03F3B2-D0CA-609A-1300-00000000BA01}92C:\Windows\System32\svchost.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Git\git-cmd.exeBinary Data 23542300x8000000000000000573453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:58.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4185E3DE8DEB8E705B61DBC028A487DF,SHA256=1AEA92D679AA86480E02279EA5C15A389375ABD71DC3D8CCA6F8C64D38F9917F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:58.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9BE5E656FA689657629E619C3818302,SHA256=D13182746EB965D9B47526009B2C2F641AE69528A4B9A78C322F69CF8CB4E233,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000675629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:40:59.990{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.921{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.921{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-319D-609C-402D-00000000BA01}22885884C:\Windows\system32\csrss.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.906{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.895{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.884{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.868{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.868{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.868{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.868{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.868{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.868{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.490{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0454D9FB68FD5D5A6C3F18405821C1A8,SHA256=9C70DF4B2CC17502BDE288B92C195C915C75DE651524D8CB3D71EE9B6468E757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:56.827{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52838-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:40:59.399{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4039DDD9946C9330B9A86E0C3EB05F78,SHA256=7B790A3A076048935847AFD9D1B497B8B05924B4BA16BDB8AB3E0F6984A5A9DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.406{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.406{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.406{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:40:59.406{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000675604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7f9caf) 13241300x8000000000000000675603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74827-0x840a6af1) 13241300x8000000000000000675602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0xe5ced2f1) 13241300x8000000000000000675601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0x47933af1) 13241300x8000000000000000675600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000675599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7f9caf) 13241300x8000000000000000675598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74827-0x840a6af1) 13241300x8000000000000000675597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7482f-0xe5ced2f1) 13241300x8000000000000000675596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:40:59.384{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0x47933af1) 23542300x8000000000000000675694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.790{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E326E34B2544CB1B78A5BA836A38520F,SHA256=036FAE8519BD5B393641FCB9FF8C1AABAEF62225BC4E63CFF4C570ECF8C5FAF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.786{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D962116F4C295B920EB288D6FBB030,SHA256=3A79ECD05341A698D829FEA55ED9466AE08FBC284402E83D50FA5ADD7C42ABC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.768{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.737{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.737{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.737{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.737{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.737{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000675674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:41:00.706{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000675673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.637{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.637{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.637{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.621{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.605{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.605{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.605{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.605{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.605{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.605{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.608{7B03F3B2-80CC-609D-4E56-00000000BA01}8144C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000675662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.590{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.590{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.590{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.590{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000675658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.590{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.589{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.589{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565480C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.521{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.521{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.521{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000675652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.521{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000573457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:00.415{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E841072BDB54AEF0C7F44D36C4F1A79B,SHA256=2EB73989A44A35E0A81EC45F4A802740663EF03E4C1E05A61864173C8AEB8D32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.406{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.390{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.390{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.390{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.052{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000675642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.037{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.021{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.021{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.021{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.021{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.021{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-80CB-609D-4D56-00000000BA01}2964C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:01.936{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6ACFD58DE5C4A746563836B946610A,SHA256=0829F76CC8079C59059732AAAE950B7916B0CA8C36F71D822AF8B8BEF6BCC5C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:01.415{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11755B9AFCD131394CC362D2EDEE4EB0,SHA256=151AAED17CA5983D8F051500AAD0F68C1DE1F5906040F94BE5D65A476F5B466B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:02.951{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9F9BB8E4FBF86D5F294C39243BB14DC,SHA256=C652CEE0210DBBB43EF63A0566AE70B50D915ADDBC64428AB80E6299AA8F2766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:02.446{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C10E7B41836C262606C9BAC60D1C0E7,SHA256=51862AC3651BACA4044AE03C9FB9DB421D547E1F67AAC8567EC9A4A6B26D0AC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:02.566{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44D38A7FFBDE11699BA6BE349AABE1AA,SHA256=8338AF3C3B80005069B33A7F90D99D6970072BEDE22315FBF06742A22200D2BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:00.313{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51245-false10.0.1.12-8000- 23542300x8000000000000000675699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:03.965{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F7217ACA1084E141F2D78A6F9EF200,SHA256=72C3CCB5F98641320CC7C041B0FA945BD55FCFB9B1EF6B5B9D9BB61F0F533D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:03.462{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C0F50050F261BCBC02D61AC1E9D339,SHA256=F251FB9D511D59DA21FA80F9C7A337C19D9CBF5A1CBB0BFF63439FF4BFA0EE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:04.983{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD1203BE92124CD968DC39B2FAA4952,SHA256=A635AE5280DDDFFF7199E25CE0247A5FBAC0B531B2EA5C18719156B741BFBFD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:02.718{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52839-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:04.477{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAFB7BA2C1B4F35C08C8AC4BE6DD40B,SHA256=CCC523054636AFC3F1F072E0781B378BA7C110CD6F1725F8C84BB904802D529C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:04.102{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A1B8347E371ADD45F2558FAA8ED5675,SHA256=960BAE57AB25B7F9C82E2627AD9D3AC6FE411A40C121516210F45F48FB1A9BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:04.102{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4185E3DE8DEB8E705B61DBC028A487DF,SHA256=1AEA92D679AA86480E02279EA5C15A389375ABD71DC3D8CCA6F8C64D38F9917F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:05.493{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDFFE1DBB95D6A13C3F453F61122FB39,SHA256=FEEA66CAA0B3454A3BAF9DA607475AC160E32FE95D5510E3B856D4F6FBD0329B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:06.540{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47008EBC9CFB21A20B1064FA8618686,SHA256=88EB4BE48424FE7BD7A05A22F5B845B8E8FC4CD213DAB86649C26B99C43AB65F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:06.132{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=039769F9B35B70F39D22BB1342315BF5,SHA256=0F0BD5A42D5AAE08A4647CF87993900E44D645349911722162D9AFE8FD4B0C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:06.017{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0953ADCDDD5A288140A29687C446291A,SHA256=6D8909429C2A379DB99098BBCAC243755D35547DA249FDC1AF47FF21E01DC70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:07.559{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FCF2811F4D664206899B5CE778A1623,SHA256=7131ABE2600F7AE744E3ECDB7173D4A073E261DD76C89FC2959B30DEBB611D46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F9E92FAD6B290C71CB91A619C017C556,SHA256=2E67BD8F9FBFAF995247BACADEB72FE167CB6FB8ED0C66FE97AE3B207DC84EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B0E2D0FAA5104A6F83B39DD04CACE976,SHA256=348DA55ACDF17D8612B0D6C2E034D04E4DB98E8C767B2C68126C7BDE1F41328C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0CB92236FA9D8CBCCC3DADEF62F218C8,SHA256=754564780DF1166BC59C4C98730BA8C2885B378E1FD60B2F86AB5E8DC5874F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=8AD47218A52A4BF7345B6DCF2145A2C7,SHA256=A0238C843B1D74166B34BC47A9415845CF55E97ABF38D20B04798798D999F8B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9BCAF1F915EF77EF43628EA57D219C74,SHA256=F3905E55CB157190BFE8357CC04473900E29639138D4DAD676A41E2F1CA45026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=663EB9DB84B8AB692981316331DFE795,SHA256=224D7E593B84DF78F1C8B7A8E730A0C9A99F315E724345DE128413364ABAF540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3B9963553568AF68E208A64C332A343E,SHA256=8C9C4331DC62BB7001BCDDFE6DA9D9E7B1019647106F7740A96FFC8AD08082AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.600{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6852C87213B25606918F1245572717E6,SHA256=C201AFF11FA29CA6B135AD8F3085ADDA114FE3044B7EA94E62E8F3DD2F5E2F55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.562{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=134DF8749940BD50B0511F19B4284111,SHA256=A454575E36C545E901EDEC6A58D1619F0D8042254BC87E229545D10A30910477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.515{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.515{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.515{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000675704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:05.363{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51246-false10.0.1.12-8000- 23542300x8000000000000000675703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:07.047{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF4645DF21C340E74D6EEE24D26E12A5,SHA256=3403A835CF2003B13FD0CB0C8334E85905A7586F8F45788B7CC0A60BAE3821FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:08.591{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E8357F26F092B9ECBEFC6B843861D6,SHA256=47B4320BE72FD920B980DA5ABC6822553D733D217D65EA921856FA0E1B6B15D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.499{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:08.083{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7DD2C85E437E62012585FA059FA9E9,SHA256=AB6AD30158348FD8B1C62AED5509835EB07B2EB1CAD80F26907B452FD840D58C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:07.831{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52840-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:09.622{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937D377807B5F36E66F69B51F4D59D18,SHA256=55C4C197736938FC93A6FAD18240877103F334A3A10AA438A5C3956E82BECA4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:09.346{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F32B860959A2968CB8AB04AB960C634,SHA256=B2E3FCCC2B1001460BA6D88B1DD9F1CA253B3C4BEB8541C354F2A60FCAEB2A7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:09.528{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1E77C62130A9CBCC499C751F2291D79A,SHA256=59088E23CAABA4B9D64A90919C0AC8B3E6416B665FD713030C476525DB331EF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:09.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68105EE883267A9002EF6B5EBF842B13,SHA256=3DFD9373A1E965F9A4991B8294F9930A201D010B5A8D2F29FF21BB61E2FD147C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:09.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A1B8347E371ADD45F2558FAA8ED5675,SHA256=960BAE57AB25B7F9C82E2627AD9D3AC6FE411A40C121516210F45F48FB1A9BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:10.653{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F16266AE0DE320CD89AEB9BD809CA5,SHA256=DCCDCE8A71F150BABE19A12F8E295503D8F6FDEC1D55F9F876EA4D8D089EC1F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:10.361{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B9AA3FF6BC5D2801F8D5239D13007B1,SHA256=4680E057B87D2E6014C9ECE63ECA6B71163D6DA451E580EA60C9D14678C9047F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:11.669{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E9111BFF50C4786F6CFCDCD93C254B6,SHA256=2A98D3CE0FA67ACE107DF3D36CD1A1C7F01285CEF640AC6334FCA11CBFB1FF87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:11.378{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE3475A52AAF0FA524940B685AD7649,SHA256=E07D7B587B488A2685258CF652D5BD7AEAF74EC4D6556C5D68179B5FF60BFDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:11.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C24B1984446B1EB5B1FE7BED989A5A3,SHA256=AB8CDB42EAED75AAE555F07C815981469451DBA93AD88AAB81995CAAC57E4D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:12.684{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ED280646CEEA39CFC5D1372E4372BA,SHA256=8DE5B94E3A6D5D4E368F80CD3F0100C12044FF2A5097C3A304ED8235699814F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:12.413{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3F3190FCAAE5DB30B15D26EFA9845E,SHA256=297F9F91633F80FF6C64B1CB0A88F1078AB33EC22888D790B2A6A8E9C0958266,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:10.375{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51247-false10.0.1.12-8000- 23542300x8000000000000000573477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:13.700{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5AF354FA16A3D52A2E6760B98DA55A,SHA256=79706C4CBC2872FF98A135B16D4960EAB06B98294B505B6E5E27C6C9495A47BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:13.444{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63299BBA97EE9B57C5F32E3A0A222FD1,SHA256=6CE0AF2FEE49844C49A8F90FAB197A898BD4D321D4CA793E239049989C6BFB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:14.700{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0D4A2CC82E825B580F546A260C1B5D,SHA256=47ECDC543AA7D88B69FBBFE097B478CAD7C2CA9A8DF567C1A1A83D92A24B8FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:14.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4365544E9BF778487EDF277A69AF18FD,SHA256=C2006B06CE578DDC9BDA8BD9AB6B7EB3F5F44F253753AFA2B9C9CF95B4183678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:15.747{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982E8352BB8787818FA9FE83E1EE6BD6,SHA256=0BF2DB6312514547A8AA134BFBB0F60093DC276BCF3582E6B53EAF0D15B9A502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:15.476{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6A6427FC20A2B79AF10DDAF505E4EA,SHA256=9EE57C75E61CF3EC0B57337B5D96C28B55D5CF8A7C96154BF79C7DCF68C8FA0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:15.309{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7566F02C667B884C99C90390EBA652,SHA256=2EFA57B088F2ADA7E85061ADBF6DF4E59EBDED273AE6FFE53953C982B96058A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:15.309{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68105EE883267A9002EF6B5EBF842B13,SHA256=3DFD9373A1E965F9A4991B8294F9930A201D010B5A8D2F29FF21BB61E2FD147C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:16.762{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F77FE7D25C125DC4D96CF2E881C365,SHA256=94103A0DA20A8EE49E165F63C2E1E21577E32BD8B57B6E910B0AFF01FBB7B67D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:16.510{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F3A8F02CE0C517ADDDB9E807522331,SHA256=F412C9290DD301AC0252E294F649DC6F822E2360A478737D151AE5102FABF0AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:13.706{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52841-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:17.778{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57408945CD019428FD3E2DDC8BF0485B,SHA256=346C2D50BFB91E32EBFF152BE3BE0894BA9B14AE688D7E62D9488662640F1781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:17.525{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7175E33FC8E27B23CF4F6CDAF256479,SHA256=C5B108C5EF39023FAE6023C41FE5D08A17B4734AE28F623CED440B31D49F8B46,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:16.403{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51248-false10.0.1.12-8000- 23542300x8000000000000000675757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:17.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA5515B726C79DDA0793185DA57AD45,SHA256=C70F3A92530A4C3C010E0FB06A8204665C5DD5D1242113D2D094DB4422E804FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:17.175{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF279999EC7983FC14DD08D578C5834F,SHA256=62826BC63477CA8DDA1139BC52304E3E0D4CB3B1D7B0ED769D8EADB260CEA12A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:18.809{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2718183ACE560F88EB9F206235622710,SHA256=88D4BC4DAD87CCE9631AC4F27913037E6F36099E8F514A93AE25D86C66B3172E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:18.539{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A180D84B3CA2687E6449927D6D3D596,SHA256=F695043C65D3062F1163B4CDB3E764EE443F30F3D5DDF06813EC5B815DC7CF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:19.872{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD67FB8F088F6E8822EEE1BF5C66B5C,SHA256=7537E4F0DDF4C03E82D5C0A06539ECA340182A0D43C3B57FB4A7D549DDEBE50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:19.572{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=260E782B20BDB00C451F1071B87DCC17,SHA256=26CA620EAD7A610A230E02C9065D8CA021DD250306439EFAE717D3BB883A6CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:20.887{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7157B876E1809094ED282B77D6698BB8,SHA256=66F33FD1A7D93EC3A321FBAD0C9323ED0244DB24FB599C39238DCE21F52C8F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:20.590{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48866CD725D8BC8D9D819EC34CAB478,SHA256=4BB5DCAB34F0305FC16B11ADC97573C5327D0FF950C5364E8540462185D0774C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:18.737{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52842-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:20.278{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7566F02C667B884C99C90390EBA652,SHA256=2EFA57B088F2ADA7E85061ADBF6DF4E59EBDED273AE6FFE53953C982B96058A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:21.887{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FEB184F6FC4C6710897D65CCA8032F4,SHA256=C37C82D6AAE3D04C6C12146E263A18E7F60DA6DD7B47370D2974FF73CF174156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:21.604{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09781244B8AFA820D7257A81668BE588,SHA256=9648D96A4B8C2A9F7389114A00E4F298021D1CD9FB53E9BCF289794396E90301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:22.887{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14ED357FFE26632900D3D39DF6B98B25,SHA256=6F225C0649E85B7AA6841F3407E3E2D5EE5ADBE6A3540FA67193FD4ADFE5AE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:22.619{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA58EC1628D925E64E499B710262E8CF,SHA256=4C3CF6EC3F4E88E2D67AC345C3B246B9BF3EA2F48B63663DD7C0F87E904FCD93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:22.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=451C00918E06C1EDD5F020F731E1EA04,SHA256=83191FB426EE3F18B5E12CD0C9ECBCA06B4C092C4B280F090BC8C933744A0A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:22.235{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA5515B726C79DDA0793185DA57AD45,SHA256=C70F3A92530A4C3C010E0FB06A8204665C5DD5D1242113D2D094DB4422E804FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:23.919{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC542CBAED57E842E1F86E53FBBA24DD,SHA256=D134CEB595EDEF826D9E0A13922D8F00B1A16F57BD7134CDC18F4A80D07BA69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:21.413{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51249-false10.0.1.12-8000- 23542300x8000000000000000675768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:23.648{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117A42CC41326A3823B5272A3CB058C7,SHA256=73DDBECF8505B3E38A72301EB32FD213E7DB40BF93AF4671576C03FDAD6896A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:23.549{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=451C00918E06C1EDD5F020F731E1EA04,SHA256=83191FB426EE3F18B5E12CD0C9ECBCA06B4C092C4B280F090BC8C933744A0A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:24.934{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8709E0890481EB7F8D21D22FC48074FB,SHA256=E911CC19FD1E0FD2C44978B36F382C90F9C2B484D689C33ABA2244A7D6CBB1AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:22.782{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local56901- 23542300x8000000000000000675770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:24.666{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2651B33DB705873B7A86A074D6B640F9,SHA256=B873EB3C3B158BFF884C75014C995B2C46089CEA96247D4AEABE8E5C5F5CEF17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.965{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CE9FBBDB7EC3B28689174E38378E54,SHA256=5254F2765CC889C14250B15DF099AB32FB962511086EAC9E599F1BB94450DCD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:25.685{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FAEE2A4DD5452B19A63FBE13301FB9,SHA256=6A1740A693A4556A797BB4A1894261FA2AC5986EB4B17B5CF37289A14E5C5C46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80E5-609D-1951-00000000BB01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80E5-609D-1951-00000000BB01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.840{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80E5-609D-1951-00000000BB01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.841{E1BD9FC2-80E5-609D-1951-00000000BB01}3712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000573495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:23.831{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52843-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:25.231{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD6260CDE6C2BBE265C8BBEEED1EB502,SHA256=57EED3B75FCFA43790A72EEB5C7E6442C855F8A29A1564A3FA68D6E8FE1A475B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:25.369{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:25.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=857D1D3125D516ABA8A0FA673DC78F6E,SHA256=8936A0C50323F1B12EE252317236135B4EA4C46617AD961826885C1F0D72E5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:26.730{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED6BF8470CD79D3D9561FF157CDEA18,SHA256=A9B70C48D507C58461BF271F25AE589A81AEEBA6F8381C28B8901AAB6D5596EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.897{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4DD4EFF3EE962935D9E4BFFF8481664,SHA256=4DE00E48321AC1ACC9B4F6B2EAA6D07119860374052C85FA0C3876B439057832,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.631{E1BD9FC2-80E6-609D-1A51-00000000BB01}33243628C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80E6-609D-1A51-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80E6-609D-1A51-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.512{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80E6-609D-1A51-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:26.513{E1BD9FC2-80E6-609D-1A51-00000000BB01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000675777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:24.509{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51250-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000675776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:24.509{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51250-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000675775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:26.399{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5AC7913948B860BAA26FA5028F9F4308,SHA256=0BF07A117C451EBB9D981C1646DB5C2FAB2E072172D8B574741CB7B495CC0564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.767{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E28B49100BE95081FB105DB72EEBB89,SHA256=13D81D7846BAB448FC9B7AB276670C6723D67F406F1A8973E6CF4B83632469E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80E7-609D-1B51-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-80E7-609D-1B51-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.100{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80E7-609D-1B51-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.102{E1BD9FC2-80E7-609D-1B51-00000000BB01}2004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:27.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1279565FD6240AAAB9F5F21445AC75,SHA256=82C8237586EA565E30139485D0CFDF878D4059F51BAB89CA0E6F6C060A06BED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.583{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E559A97A3D37BAC4CFF1CCF916A3443E,SHA256=308A8C5669EA0CBDE4F8E4B41A6908A2DF252B17F96AF9796C60208154854D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.567{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=22DAC9F12F6B2A73CF7432EFCD3E6042,SHA256=599AFF12523BE2F891FF81C2A1BF7641457FADF6E731AE30A48D69128A8308E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.567{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=29CC1E2D8A7CE1C9817A366A29435D8C,SHA256=E9AEECE17ECDCD0C78639073346D2F00CC72675C7554450AD9E2D324FCA2EF01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.567{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1770733FF7C7C2E70E8DFDE75ABEE3C4,SHA256=ED21B1ABBA6DFF9FA5933E17BE68BDCD7C42AC8B0238E3FE59B6E36F1D967A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.567{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E09240B9A0A12F04754859A54BA7E88B,SHA256=C1AEEDFC54EA1609CBC57540390618A6C1FF739C0028DAA978D2ECDBE11C69A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.566{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9F14C2CEC577F0DC6D9FFE46DF538ADA,SHA256=414088F1B3974735DCED8251259187F86A4E878797185D1166139F5FBECADD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.565{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=90E63C1E4302358376387FD0C8D81F9B,SHA256=99D6B1C959A9BFF78E649E710C776D4F33373C9397931189A4214938ACE6E36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.564{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4351E2537F2690B8386C2905A0CE7AB4,SHA256=73DD4B82ED6584B9AF011C5BF0A41AC3088166DC7003D016D2111FFBCC7BE5B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:27.562{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DEFA5D5BFF3EAA2CFDE8EB48ECB6147B,SHA256=567667839A5610882DB28DE9D8746DD176B65FEA189E7E38B66AE11F891A46A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:26.429{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51252-false10.0.1.12-8000- 354300x8000000000000000675779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:25.593{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51251-false10.0.1.12-8089- 23542300x8000000000000000675791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:28.783{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F024248BDC201C732814E51D4ECF39,SHA256=D13F47A679D09AD429C849D778189DD56D97BAD428C5F7CFF14861B70D812985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:28.147{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43375DB604B73EF71D645958917CE6B6,SHA256=03B3AF5F8448771ED996E1AA1EAE326A362B1C769A23B0F270B3AD4D1DA4393B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:28.006{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9506667B22BD10DEE26F3723F811A64C,SHA256=51F04E15AF77033CF2DD095ED8B306488F875F4222BA0DC2F8E0ED2035AA11AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:29.797{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE782DB4FFE5E12677701064D64A326,SHA256=138D023EA6C7F815901E6146CD1BA83B1FB5F519AA5575787A84F5245851A5CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:29.944{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:29.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFDB50F2BA45843C12474E66588A5E7,SHA256=C702CF4FA51C7D5ECAF9BA6DA39E62422CF713A0B4D6E115F6757D3AF11EC372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:30.827{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0938344AE6567A3B0D7BDAA69EE81415,SHA256=319BC72C6E9D6B10028392AF42079DC56097283B37E54BACEC562B6767E55EAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:28.841{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52844-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:30.210{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80E70435DA46984A398EB7E36799ED5D,SHA256=8CAEC9E07367FED4ECEDE25120260C5B92BFF80E14778020C0EA0804DEEC4655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:30.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC31415EAA08A0C8E5FA051FE881D21,SHA256=8F67EDC64B7ED7A3D76F502F907552F5937977A039108663F6D8F80B7C47829F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:31.860{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07368C9C1D690DDCD54BAC3BB6E899BC,SHA256=6F2A596C0C978727BABC01D93769DE1E3419756FEB0EB1EDD974C44939925993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:31.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62BF2D44BE1B822DC4623620A7D4ECFD,SHA256=E977B1E32ED80586346C266345064B5B38E9375677DF3C99CF3A7EA5D0888E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.895{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EDE70AA42C3B9A8B93FA334C499843F,SHA256=A5BC7CCDAE74EF5C8D0EA8982C67E0892A2DDB51487F1AA74C85314B02A125CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:29.559{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52845-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000573547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:32.069{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EEE6D2ADC90DA5CF722A7DD6D1CCECD,SHA256=787519B77C2FBCBDEF66536E9A9721E1DF71523DF2F1BDF4FAC154307DFDD338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1DBB6EEFF93ECD7E1807DA145005F327,SHA256=1B6F65068154432A276AD8FAB97FB5B2E897AA59B059A5952EAD5B5C2F00C8A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4E17050662BACCFB0895082CD0D09475,SHA256=F48865B8184A9054656226FCC949FFEA1790F8D32D67429DCDE0B607BAD9994B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=05522B4A9FBFDAE13B536048C92EFAF0,SHA256=585797CBF53E14EE2E20BE2534285A9DD187350C62BC77E3378B293F489807E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D20DE94FE646A0FCC4876A55AFE0C349,SHA256=A88DACFE5899C5632AF3D13DD4EF5F85FDDCD58FE45C89467E6CF4C0CEEAD1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D17FBA1DF3E2C0D911AB440D8E902683,SHA256=4C0AE22CB9B08BFA3F5F45236E55D1EBBE678DD0497E101605B77A074C71E5BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=88BCE1D83C4F0FBB078D3FD1EF6AA6AD,SHA256=73B7545FA60E67F0508BF4F1B225DA882BD95DDE0B6CFD77924C4355AF419BEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EAE334E3FA516237F77DFC68F044E698,SHA256=8EAED14001869C6A5DB04653AD3A9D70B0DFA88BEDADAC55F6732DF26B9C6B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.579{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FB0CE0A98A84B83726781268779ABEC8,SHA256=E484DA3E8123972DB1371EDBF1C0C9FD8FE337E74E80D87BDDD682D44A78963E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:33.941{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BC7792F029111AE91CE4669FEC220A,SHA256=F6B0B18661C415B4BA9A8699AE3FFB0E8AB5D6BCC92253BF84022903C657193B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:33.116{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=346669A0408C05E49B21AD47A8691AEC,SHA256=7A317DCFDCC8DC7B0C8E47FE26FA1DE11043BC06F45B8E716DEA98EF407DA3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:33.079{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EEC7B2E14EFF3334F777E14ADCE5B9,SHA256=4E3F79D30543694BDC5451683AA06DCF1A224840ACD061D4606693FBB988D266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:33.079{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9A55BD2434562566DD5346F7F50A854,SHA256=CA21D947FEAD8C0E2CFC34D8060AF99701CC31D29F2B9D128A81498A17212C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:34.961{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59261351E74DC7B06B9FB6F2372C9BE6,SHA256=B5BDBDC23BFF689615C7F3E4EA5224077F95D12D25F475FABC5957088E6FD35B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:32.303{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51253-false10.0.1.12-8000- 23542300x8000000000000000573550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:34.131{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE4F92D612E8C03C20398EA67861641,SHA256=40F4D1B8B7D82137A45F5689941ECEC8282AF75FF2F463C747E5328134380422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.979{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=107773C5380F50DE236ADEE2E4CCED23,SHA256=E03B792143A2426380BAA8F30693D2E7D70E91DD3C0241D5F8676108D5B6DEA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.819{E1BD9FC2-80EF-609D-1D51-00000000BB01}12923448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000573581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:33.872{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52846-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000573580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80EF-609D-1D51-00000000BB01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-80EF-609D-1D51-00000000BB01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.694{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80EF-609D-1D51-00000000BB01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.695{E1BD9FC2-80EF-609D-1D51-00000000BB01}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.272{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E7E08665C182F064F06470190EAC34,SHA256=1BB8BA658ED720BFFF23B813654592CA931F839B921E34B0F91EBF64AF5126E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.272{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E382F755D0F150E953E8B131F9360D48,SHA256=0E382494F5C43428EB647909990C9AF99E2B9281531CE697D054D62E3048F284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.163{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED911DCBC6EBEAD2A84A5F7E9FD3729,SHA256=5D2DF312A1B764EECEEEA30A41F667B692602708361F7655E0E0EA129FEB6AE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.665{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000573564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.147{E1BD9FC2-80EF-609D-1C51-00000000BB01}9163856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80EF-609D-1C51-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-80EF-609D-1C51-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.022{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80EF-609D-1C51-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:35.023{E1BD9FC2-80EF-609D-1C51-00000000BB01}916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:36.980{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA175F5E9C57F314C8E4D2124DFFD98,SHA256=D1C3C61F11802215B47165EF88E2047DC0992117FE319D4C7DC86600D9F8EEEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.726{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4E7E08665C182F064F06470190EAC34,SHA256=1BB8BA658ED720BFFF23B813654592CA931F839B921E34B0F91EBF64AF5126E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80F0-609D-1E51-00000000BB01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-80F0-609D-1E51-00000000BB01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.367{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80F0-609D-1E51-00000000BB01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.368{E1BD9FC2-80F0-609D-1E51-00000000BB01}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:36.163{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA96CCC8223345A799FB9392A8D0E3E5,SHA256=9F02946F3FE13911BB1BD9F138BD81317313254807402790EDD324DEA445CD05,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.908{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51256-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000675816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.908{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51256-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000675815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.800{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local51255-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000675814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.800{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51255-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000675813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.791{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51254-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000675812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:35.791{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51254-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 23542300x8000000000000000675811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:36.564{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72EEC7B2E14EFF3334F777E14ADCE5B9,SHA256=4E3F79D30543694BDC5451683AA06DCF1A224840ACD061D4606693FBB988D266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.415{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED8B24FABE4BDA77C299FAEC118CE92,SHA256=B8B2A48C8D5EC0F4A7B6FBBDEA1CD3D4B13D46839BD1FF74ADBD576AF08781E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.164{E1BD9FC2-80F1-609D-1F51-00000000BB01}38403320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-80F1-609D-1F51-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-80F1-609D-1F51-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.039{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-80F1-609D-1F51-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:37.040{E1BD9FC2-80F1-609D-1F51-00000000BB01}3840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:38.182{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11EFF0DF5A4E3CD94582D0B54D221616,SHA256=D9FE32890FDFDA3FE9F2D62D60C2D0F3548485C8A08D09C027C03FA377C63895,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:37.388{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51257-false10.0.1.12-8000- 23542300x8000000000000000675820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:38.162{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F27E9787951762DEA0C75B9EAF8A9DD1,SHA256=842A451A6A19265604C1953C1F5179383EF01C28FD3B63A0CD54A1B991A20F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:38.010{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EA8338B1A63A9471C48B378B2306704,SHA256=2845FBEC632B6134F8CF2D6CDCE71FC932D119C84E91ED62164A1CF378FA4F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:38.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CED5435C8D34E2F656232200ACFC640,SHA256=7017593303B8F1270E73B2D5FF1B6945E6CD78D7262BFCF7B697F80932C9E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:39.198{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C8263EAC92AC2D4687B797432B7695,SHA256=BAECCCD9278718471A7B6AE5EE7AC0088459C376FE06FEC3D3C224D740288482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:39.961{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\aborted-session-pingMD5=0EF15D99470617F439B361AD0EDC4FDC,SHA256=37AA61119BA88CF475839548132A8C29150EE88DCED1C2C47334DF919552A11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:39.839{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D3E266AB94CF5A0E4F455F6C5991EF09,SHA256=6C58E675FB7297C2F90544BEC66A4467FD1CBADA8FAA741C91688F43AC97B097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:39.839{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2FAA59A8ED12C04F4E969869A7D13AD5,SHA256=556CFD6C33782637BD3B118C89454D02282FEC7A0D7F7B8F09EE877A4705AD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:39.025{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82F3C4080B939D0C7169DF36895A22D,SHA256=226E4E371119F573A8D1D58F1043A0D4CFF01C3F7DD3F4E0B74B622EBC8377B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:40.229{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6FBFDEB5A36BA4E0098763D02237F1,SHA256=FAEAB685DDC1A0F46D002E50432F1603C1825E5A9D2EBFDE5DBE2C333BBC5BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:40.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A209E78806991893A429B9EAA64DCF6,SHA256=7E92E3585659402E2242287F08A49C41518817D38F9B6DB3E6CFC14A7BC53573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:39.860{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52847-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:41.323{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8868295F3BF5C6DB85583882F387121,SHA256=B0CACA343C8A4408E0923AD601A59F3C7D301683F7C93B91AE66B8F4986DA898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:41.291{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44BC0D3BE3FDDAC67199AD506F7FC66,SHA256=D3DFAACDCF4DC0863F89D7DD32115B1181B149276CD52F32EDBBD1C285F5A089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:41.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8520A36C9831F11E718EFD5DB8740ACB,SHA256=47735A08A291F18B6B75EAF16E67FB6A64E48645B18F2BCDCC7A4E9F62F8DEA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:41.039{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95E52EDC2237496795C451EE993656FE,SHA256=AACAB9E0F3CF9979E6D1A05CCCE3344F65C0B0C3A105A194369748DE9B659983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:41.023{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D3E266AB94CF5A0E4F455F6C5991EF09,SHA256=6C58E675FB7297C2F90544BEC66A4467FD1CBADA8FAA741C91688F43AC97B097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:42.291{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F12872035EDBB12DC6877C058107983,SHA256=538ACEDEB98269DCBDC4F6D5780006A33CBF788CE01AA2D56D437F9B3B618C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:42.592{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C152F4DA43495BC7A1B6FC5160BB157,SHA256=6F201B5D97B7E0B082F0879310422FE9265B49C606499DEF23C23FAA4EDFE637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:42.077{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2CA2A79294D09A338CDDC16A2EC317C,SHA256=FF6F5D41764590A4400DE6CE68D46F644051B70031170F9B919DF7E766DDEB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:43.307{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B497C918C108E98BFCD9D5A22284E46E,SHA256=CAC1ACE0F5BFF12A3207A00B6D4A6D720C60F4F79F77FA4BB9CC2B7EF7A05599,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:42.484{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51258-false10.0.1.12-8000- 23542300x8000000000000000675832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:43.107{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3455A922982C0E97C65CCFFBD1B24C,SHA256=4D8E433B7EBEC16A8D6374512FE9A64A0326F0F43FED91FF9A6EAE6B83CEED0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:44.354{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B7C0EF2EAE1F9E43E2870EE1073BC4,SHA256=B3F7E4A0A0FCB053F59FBA4A0DD36CD2B5205882A23765DA2A51D261B86DFB87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80F8-609D-4F56-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-80F8-609D-4F56-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.937{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80F8-609D-4F56-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.938{7B03F3B2-80F8-609D-4F56-00000000BA01}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:44.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535E586190BC7D0C19627DCE2B91E484,SHA256=18AC78C09339B5CDACD53C77843354204511A6B471FD3F68BDDE26EA295FA4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:45.369{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98213932835A6164DE9A94888B970C92,SHA256=88AF001B36687749EB0B92A370CA3BE3E46290632F959C624BF809274069271B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.988{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0393A0B08071EB854CC6F946EE9E3246,SHA256=B3F5248405D133E942A43BC6CDD48A53F98488C6F6A08E272408CA28450F602E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80F9-609D-5056-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80F9-609D-5056-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.473{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80F9-609D-5056-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.475{7B03F3B2-80F9-609D-5056-00000000BA01}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:45.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A703BDC69251A3EE19FAA12AF845AA,SHA256=4117881E359B97D5CFAC33D28C4EF2739118BE936E4631DE49A932F3F6903E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:46.369{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35ADEB887D33E103932FB4E9DD808AB,SHA256=6DC5B0405DA788CB717AD24D58773DEE390C381EE3CBD951F06EE577E90ABC08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.255{7B03F3B2-80FA-609D-5156-00000000BA01}71442692C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.203{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A6F91000FF7FBC30615ADB4A05BADB,SHA256=DDBAD90C54F597B53C7F70EE894431B37CDB816FAD002FC3AD3F42810FDBB091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80FA-609D-5156-00000000BA01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80FA-609D-5156-00000000BA01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.088{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80FA-609D-5156-00000000BA01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:46.089{7B03F3B2-80FA-609D-5156-00000000BA01}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:47.370{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F28C384E2E531DC3009500E5D687ED2,SHA256=8E71F9CB9A00F3BB1CE49AD2D1CA44198976D9B192C5800DC32BC3126A1187D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80FB-609D-5356-00000000BA01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80FB-609D-5356-00000000BA01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.921{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80FB-609D-5356-00000000BA01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.922{7B03F3B2-80FB-609D-5356-00000000BA01}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000675873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.434{7B03F3B2-80FB-609D-5256-00000000BA01}40163352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80FB-609D-5256-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683A8D9A71D910094D28BE7F5578A864,SHA256=869C2DBDA53DA2E9A1172F07AF62D58B677676E9B4ACC1115784E4FA0D6B7DB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80FB-609D-5256-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.233{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80FB-609D-5256-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.234{7B03F3B2-80FB-609D-5256-00000000BA01}4016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:47.261{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D5995D27B9C3DBB1827FA6F32FCB6B,SHA256=F447F23D9020B7E9EB98614798E2386626C1E8B0022097F093725B3594B6007E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:47.261{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD96146AE4D5CFF6D0C55856E3D4A10,SHA256=436FA31289F1187FF0AFD6E331414D62ADB8B93CAADF76DCA74481C172B9862F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:47.134{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B10E278A073CD96435103C67E760A4C0,SHA256=D1960E497E199CE2C7589C8A4E071FA5D75D71473D3A6F8A0C9F936381D84087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:48.237{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0E5521B2847110FD2EBFF4028DFBBC,SHA256=F7650E9EA7E6B7ED626D325B34C403DC7BE13522028C451A21B31C1907B8EB6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:48.237{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA4CA31E2F74B3B53A5B4F12B7C2C42E,SHA256=4284950FCF35AA11A937534C65FD57093EA2EDD798B0235148912DC34A868BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:48.417{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC42AE30C37E0EE38F887A79862264B9,SHA256=AC900DE87436F566A78727447F27C394EFF3BEAC161B8F330AAF937E559F7E36,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:45.751{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52848-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000675882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:48.090{7B03F3B2-80FB-609D-5356-00000000BA01}13165568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000675885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:49.274{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3F6DD4BC2B3CCA1FFAD071C58E960E,SHA256=C52EFD2BE10A72FF6818517CB971FB826B40A67F501C8F21AB80C10E2BC4CD57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:49.417{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF58459DB6B52D3C8EDE058EA1B0DCD6,SHA256=22A593E85E206BE6D50E20DCD74DEE3AB44572DD44DBFA0A740260F3884C2C10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.888{7B03F3B2-80FE-609D-5456-00000000BA01}70087068C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80FE-609D-5456-00000000BA01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-80FE-609D-5456-00000000BA01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.704{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80FE-609D-5456-00000000BA01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.705{7B03F3B2-80FE-609D-5456-00000000BA01}7008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:50.304{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5E83F020256DF99922045A57D1F6375,SHA256=FBB3A7833C77C48D5152DD5C129B54F41FC079FCDAC4A27D1C19489662721651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:50.448{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23072DD007A06A9488FDA9791A3DD337,SHA256=AAA8773A8BFDF18326D6BC1F7DE08A4B0304FC6D1B5AC1CD6249DAF3E197C717,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:48.251{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51259-false10.0.1.12-8000- 23542300x8000000000000000573632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:51.464{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0136676135DB43F6AA26068F986B2947,SHA256=920D5F4F8AFAEC0D362444573574030F639FC479DC499706F47770D6C2BB15DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.707{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E21D644307E9CC1238D6689ACC801B5,SHA256=EB089E50778FCA5C32C5E300D8E15678DE20C81000C16ABDC46E536E14B0DAB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000675905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-80FF-609D-5556-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000675900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-80FF-609D-5556-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000675899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.387{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-80FF-609D-5556-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000675898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.388{7B03F3B2-80FF-609D-5556-00000000BA01}5800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:51.319{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAEFD6DEB7BB9D27941457B4C3FCEEF,SHA256=DC533754875E37452731556D30DEAF49710D8B7695EEE3943ADB97E8A7A5C4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:52.337{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A3117F9084E8C989E5DD2B0BD921E0,SHA256=884CFE55F8414DFB484D17F45F7CABDE3F012ECDF6A823F806135EC7A419EF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:52.464{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2DADACD4386BA1177D75FC0ECDF482,SHA256=72E5F82874B86FF12F2F42E92553A4BEFCCA0ABA50E0F00871182EF61C96ED95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:53.480{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65BCD646EDB2312C37698A030236A714,SHA256=28ADC5DDDB64669EA14A53D200BAFA9A0D770F2BFC1C18487E13D26AB81266E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:53.589{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FEE3D527E137A4858D49831CB306A0D2,SHA256=F7696697D8AF6D7298B3BD9979E12938C4D967F1C7727DCE22F8D3306FDF74F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:53.355{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F71F4754FC439EF5E9F9FEA22E24EDD7,SHA256=99614FB5D1C6DF8451BC1C7A78AAE3302D8E621A0504DF0A116BFB52E7117144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:53.151{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E288C1650B50C6047F259D5A5C8D6A,SHA256=E1AAF2347DB3AE313E1D70591ACEFF5AE83929B659AF05A5EC93C77569670CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:53.151{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D5995D27B9C3DBB1827FA6F32FCB6B,SHA256=F447F23D9020B7E9EB98614798E2386626C1E8B0022097F093725B3594B6007E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:54.480{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA28890B11A64EAF56EFCE40205D97A,SHA256=6460D47C3049BC47D8F0CC85FB2B02D76F283023B6E72C4005152CAB130AC047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:54.373{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C77FC52795F810B57617361573C3D4,SHA256=6A5528EB7493D9A02CD4DD20AA0E2DB4D7654B0DA3286FCC0FF032C723884AA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:51.704{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52849-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000675910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:54.054{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=501F0DA4AA5030925452C4DB2D1E098C,SHA256=B1F78E7515CE0209475453CAC839C393AB5A48A963D691DBED17D6FDE68FFA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:55.526{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFD510656748D6761DB9E385BDD4DBE,SHA256=86EFB5C9FD54C5C10195BFB0D2FEEFF24C633D74EE23F94E99910F2D502F8A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:55.435{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCB9FB00E18ADA06713FC413AE5FDB0,SHA256=0DDD41C168B03A5733B62E49326391916B451C20042B1D5F6B4937F5DE126451,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:53.282{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51260-false10.0.1.12-8000- 23542300x8000000000000000573640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:56.526{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=829E62729130A25EA77E809E1000404E,SHA256=129B6EED4322B468C4EACAEF996D3A5DEB7BDD59097101675F7F64E9491CC58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:56.451{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C975E28C04233CEE4382F2EC45A4B45,SHA256=F4997F8F6F1E877D9B86AB76A62B81406FDD4883603AED5297EEC559ABCFD599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:57.469{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6621FDDD1D6731D620C5AD7AE989C4E,SHA256=D0E9ED0FA2885510AB839CCCE78658B5CF641A5994CE30FDA266239405FEE694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:57.573{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09F8B3EA70928B61D853C45DE19DBE6,SHA256=45B0DC8FA41485724E479E294339AE9D225D0BE2AFF68DEC3B9FFDEE4502FA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:58.620{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A70BAB320BC40DD95C11A2E67011BB,SHA256=146D52F20F2617C9F856CB4A624368E9531881A9CF730773BE564A32095E6022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:58.484{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C12AB394029A1E7C19E67241B8A111,SHA256=12AEDE6BA726AD43EA3978506AB71524B0FF6799116CB12BB957D693DD55C2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:58.386{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4770622BE7FA9CE2C7F7BCB722863F4,SHA256=EF2EC425D2C0B7D705514F911A59A66EEAA96A4EC858F2F1D9B89DDA0DFF0F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:58.386{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09E288C1650B50C6047F259D5A5C8D6A,SHA256=E1AAF2347DB3AE313E1D70591ACEFF5AE83929B659AF05A5EC93C77569670CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:59.636{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C322C971F901CDCB1030500CFDD67F9D,SHA256=B6C65B4DF69B6330C8C98F7A040351F5CB0DD2C94B31F60079D3852EBAD92C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:59.550{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DB0F1AF52DD63B58789EB3618CCF36,SHA256=40A299FDCBD361F7678F1151A868DA4710F792C7280F070BE37FD59B8653F621,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:41:56.798{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52850-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000675918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:59.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE4AE70E25262A7DEFBBDCE8B77E8FE6,SHA256=2B90390767D5C3BD5BDCA2F9FFEFD75359C0E34E23E8178D34BB5B26B57A3F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:59.199{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF068184F9E281290B28499488B4469,SHA256=3EBCDCB4E81B50E4F27674F15C34974A03ACF32ABE78C9EB0A75E7A03CF89EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:00.651{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3451153BF8E90CE5FEBAD57EBD92563,SHA256=E3B8D38E23A51D1B5C55DC798C9AFE047A4BB33B2BFE4B3300D4F50DEBEBA035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:00.566{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B1DD53B8F6A235C4D86B10F092A622,SHA256=2F378D4656B842BF07F25082A278076D523A7596E1AF8AFDA4222B6D729CF994,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:41:58.414{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51261-false10.0.1.12-8000- 23542300x8000000000000000573648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:01.667{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F416F0D3863C897EC4138C08AFB9E11,SHA256=8EB58D4E77A9B6EB2BE5D35C02B8BE03A1115D20ED3198FDA612AEF698EECE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:01.581{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A89ADC95A759E36A9CA718FA6C73454,SHA256=F149B15422B374FFA1EE49BE61D70304CDF4924E1232A11DE714636FDAF5F209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:02.612{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE4AE70E25262A7DEFBBDCE8B77E8FE6,SHA256=2B90390767D5C3BD5BDCA2F9FFEFD75359C0E34E23E8178D34BB5B26B57A3F2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:02.596{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB77EE67805145BD13DACD7A1018703,SHA256=3339D5390AAEE2A036EA95EC60AEAB30D16C765A54F07B0D8956B6AB86781E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:02.714{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AA57239EF96C9323CDC1AFA740A15B,SHA256=F34DDD6B663145EFA6FC1711F3CAE87F485804040807E819685A950CF39367A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:03.745{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A694D67C117C58EBFBA02DA461C328,SHA256=857753AFE0570FD41D04C72FC7919340473EC9E1902D2706C669A53F5575A6A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:03.645{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397FCEEAD301868F2BC4C74F5C0C674C,SHA256=AC1F535F0792E3ABAFBD041518344AF179A16DAEECBD4DF35F5D52A46EB8AB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:03.276{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4770622BE7FA9CE2C7F7BCB722863F4,SHA256=EF2EC425D2C0B7D705514F911A59A66EEAA96A4EC858F2F1D9B89DDA0DFF0F1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:01.892{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52851-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:04.808{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68E4D4AF8588D9E3E6A39A380A789EC5,SHA256=B077BD034F76E8918D30981AB65CF83377B2A403EF3BFE1A1683273B527CED41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:04.663{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16EB008FEE30B2DD99F16864C7BFFE9,SHA256=DFEA8A456DDF46364E9372E7959A8C5D4BEBC00847FAED7F10036532261A2D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:04.247{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16A950461BB5B241EC7E996C6BFEF7F6,SHA256=33B6A6226B180B45271CE0AE3A48DA209F54873499EE32156BC352F9676DA6E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:05.855{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6366BACE55E352A9E1D54DB8AEA8D61,SHA256=8EBD62EA6184272E29CFAB7A3B84F364024D1638315112C64A3B700B97FBE5DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:05.677{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451A10610638D509E1F067BE192B1822,SHA256=04DDF2E4EDFF882D9630B1974950D088D58FF5053CACDB1AF94DC3306566CF16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:03.472{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51262-false10.0.1.12-8000- 23542300x8000000000000000675930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:06.691{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC5134D90381C29E49D1572F23E3006,SHA256=457F08467B4C24C1E1646820BB99266D489C3A1AA103ABE604AEBC1C738A4167,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:06.874{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD49AAC5CF03A5EBA2E33BAA410CC65,SHA256=BA0C5911D430E8FE12297F9C2B84148509812A687B6E38432D698CBD2CBCC4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.706{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11CCE2F4D33BBBCFFE52556BD1638616,SHA256=506AAA49400E9213B24B67E820883B447777969F60A9B21D9D7B4D938856B1E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:07.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CF6CB87D6A5D6C26CFE24B5F506AA1,SHA256=E9E0956CC8FB174C15936A504D5B81C3DBDA914428C4D2B6A04422608932C1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=32742D3008C357BC328DEC8600C7959E,SHA256=CAE4DFA532A1ABF3E11E4D3C4F6DF2AF5659376C14F23C58663F6308BA0E887B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=536D250A5E6C1518F56A2C55AF0FEC76,SHA256=11464D90F568A58B191D0292F99F592450291D3EA82EFD8DE6F479AAA76A976F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=743DA273B2A7D614E39E7FADCC55814D,SHA256=1D765B2D7EA1E57A423503789CE3181CC08650DE2803667B33B60A75B0393F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DD086989B2F2969AC0976FB7BE8338A0,SHA256=FFC0A88B196B9C588C075276D9A2C678D0ED103FF13A924C4EAE529E0213093E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D35B6D272A5EF8643DA264314DF71918,SHA256=AB295EF3216699A5D6974AD689F5C7B2A446973ED7D3D6D78FCE0869A51137B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EA5D23888B27EBFA2B88FDA9A8B4B72C,SHA256=17C876F11E6D80917F42D83505E4E6782CAB040D58668C3D02B3BC6729337D2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=45960FF5C562DB6823F18DAFC0C673C9,SHA256=10302FC4EE2F9A06FEDAE341B11D570E3CCE68FFAA0A5FA012A4E5462D80A846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.690{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FE20C5C0C0ACBF4EAF0B1B89CBF890FD,SHA256=F756E379170B3490CF5A209C467A572660AE875EB93BBC60E94D7D6313882D58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:07.606{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90B225D2ACB1CD5346827E7605D02DEF,SHA256=D56B69C2020BE29A8885800A70249A23EC2FD6BE0C1FBC1412D4B783F12B9C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:08.905{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D43076C816155C7D8C4CA7EC2A821B,SHA256=18C4769DB48FEF39A6E156B9052931D151CB354A452E69514903580E6ED23270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:08.720{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D861D1C0864798CA8ADAE221C9E4BB8,SHA256=118B599A98C52D581846483D979E757C970897547503A1DAC88CE238DE7C78A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:09.967{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3784F2B3E5DA9D2DBEEA51969938B38,SHA256=7CF41D7D209BE7C477AB73E4280CCB9D53634878A74D3FD2290CA0E8CF5E9E60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:09.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8BF2689EAAA526013A7EAAC83B9571C,SHA256=F5A432FB9CD7A64FA77E15C141F3D9C50B12C9693899FEFC02B18C69D5F9B6D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:09.530{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=53A08AE41F4D9BC952216A6775217213,SHA256=E8EF24983A29F825D4031452AC216462A471C70D662DFF06AA961313806E9E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:09.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6678253902B0AE492B42A4D0C5FC44AD,SHA256=2638CA0E46C23EFAF759D5D476AF5D51C1C1EDD0E326CB561218E82659963A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:09.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A18B69C920217B57606125EBB2440DA,SHA256=1EB47B8803ACD0DC49A3FE2BBF6ED420AFEFAFB39E05169CB37961DDAB7DF2FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:10.983{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EEC4DA76DB85EB6C2C5C3927EDC3DC1,SHA256=831A097C295F4F7FFE9402241941923F93ED6D2899794610801C4F755EE03926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:10.754{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D554BA57254177B950024735249D9FF,SHA256=9151E0B4E65D6EE90BB1818A72F4ADD51148C34A253B59498C434A65C66AD8FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:09.417{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51263-false10.0.1.12-8000- 23542300x8000000000000000675943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:10.202{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5BF0FE12BF5767F138978BFFC66CD019,SHA256=BD3A410BD9FC797A5E8F70B0E1C1F90C0330D2E4A257C4DD730E4F49424105EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:11.769{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D992CB6DDF64288A6B5A4479DBCF511,SHA256=C18C120B48F5014DE68E056EE85FFD5AEAB5DC5D7E05DA232B19A4878AB3091E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:07.786{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52852-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000675947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:12.815{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5D922D7117AD570832995A8152F204,SHA256=F37807085EB9AEE6178287BF838E8A79A48F04E1C9D2C25AD7A8A932FA64917A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:11.999{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62427105F92AB092049AA7E10575D5E0,SHA256=441ADB80A70BF67153207FA2188A41778EFAF45E1B2E6D617CFBA9C6A13D8FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:13.832{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C39E68B61B364BFE96F740AEBA748F,SHA256=08F0773A84315AA19D7E79AE58EBA09552C0A5B72B89DB97E7A0649B7522C82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:13.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124CE439785EF35A260FB73FFEC02147,SHA256=D36B620AE2F6651362A8640800F0BF5BE430FAE0C30EDD1F21C02C8B83E88B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:14.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843068ACEFBA28B79D5E573F1820B3CD,SHA256=8CF743112A10B7B8FDE879A6416C0BA0F9BA684F67A41D7EAED55F2B6137A290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:14.311{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1E0B18FD4A263779EEDC99C4D6BDB07,SHA256=648F44E9D2729781E54E9D19093A9CD1B86EAD7435DBBD065C1E3EB84DD09260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:14.311{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6678253902B0AE492B42A4D0C5FC44AD,SHA256=2638CA0E46C23EFAF759D5D476AF5D51C1C1EDD0E326CB561218E82659963A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:14.139{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D912F1E72641FF56A27BB87475579572,SHA256=50EB3E66A56A5BF896401E8C8AA63430FA7B5A6109F712E42A913896F702E662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:15.884{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4822866DD08BCA54962C7D8D53F6E544,SHA256=D50C2FA737C1A67644EE5C4A1612C5FB4DE3F8F418CE3C1667D4F394A98EA888,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:12.833{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52853-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:15.171{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F362B1400875482686F9E025FCAD7000,SHA256=4E41871BE3171E132D4CE3CA8FB8495D844BF2FC1C2B5915BF511BC1BDDE9E67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:14.461{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51264-false10.0.1.12-8000- 23542300x8000000000000000675951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:15.237{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44453533EBB1AE458CC52482D84D2291,SHA256=2B2B6EB5AE5B997965F32E2018DEBBBC9348D5A8DE8D563A02D845D03C998D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:15.237{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC00BEB1D23C5F3313CF8D8F68346FC4,SHA256=F83ADB8AABE9931D7B91181C558519DF500C20240C5D704A899943F4B216F1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:16.898{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D47402BB59E8031FB66C574FCF019B2,SHA256=3508B28460C915BDECF76C883CF49F2802CC8B697D7087C3ACA8FC0A9D0E5194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:16.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A10EF535E3DEF52EBAA16CC1E2F709,SHA256=AF91771E58391A972C2079A6D71B42287D3CCE8A012142617BA882F772F25F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:17.950{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165077C499FC466CF96E07EC86DF7AAC,SHA256=DE1CA0C4AF2F14F3C2CE81333016F597CACAF20FA6F5892D906057EE687FE2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:17.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDA6C25DBF612616188B9A208A1E2C0,SHA256=0A673A58E9AE5CC3F5F72D23F99C9711641C6F914F214363D95160A2982DC69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:18.964{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA053F5AB883EC3F94B56B3B895E68B,SHA256=2205714395C14453C7E4C3BC61E0F3328D5357FE143A341787EBA0CC25021E9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:18.202{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90F70FB17F89E2DD04FCEC8189F85E12,SHA256=02B6484CDC4E068B012DE38586B115F514A97A7E7576502C9E447B32F9325050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:19.980{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D801840EC8508D317C6815C8265F8FC,SHA256=0F6170BCC03771BAE932036F6C3B81BBC18E62C8536835C38A7246F5E94F4F09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:19.218{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA652CB62559D3A672540D2EAA9F497,SHA256=9C1BBD9DDB80B46E1B23CAB181EB40D59AEB7611B22C35D83C5BEB8C06BED9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:20.280{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFE792A49D8769EFD641F63D57A8B09,SHA256=54BF1BF935CB32F18A394D7994B21516354728563D3BD695C048C8A7CDDC916D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:20.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE39C6C240544DC6CA66888B2EA2528F,SHA256=77121B7CC9A0C0D62B69EF6810FF1613F67DD91ADE7A5811291AD258AC124A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:20.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1E0B18FD4A263779EEDC99C4D6BDB07,SHA256=648F44E9D2729781E54E9D19093A9CD1B86EAD7435DBBD065C1E3EB84DD09260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:21.280{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85DC8F85A903DEDAFCFA857373F796F,SHA256=8FD76C7F067F0CD5630BF72C7E2F369EAFFF439C778F53BE18A1FD3509309B88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:20.294{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51265-false10.0.1.12-8000- 23542300x8000000000000000675960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:21.079{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8BAD56ECB9FFE43D0EDE82BB135A81,SHA256=75EB2DDE027965385F02FAB30C9ABB0E0D8D6C1269323008BFFB999695EECF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:21.079{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44453533EBB1AE458CC52482D84D2291,SHA256=2B2B6EB5AE5B997965F32E2018DEBBBC9348D5A8DE8D563A02D845D03C998D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:21.010{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CE3E10E283215F6046451F5438CB18F,SHA256=DC7EB2A92FCD098C285FB361F90846522B513EF9E885EDD61EE7E2FC2552B7C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:18.724{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52854-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:22.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF1F98859C36025C31893EC67391AC0,SHA256=4B2900D3A637AC315C693C0D9AB4F63963A68D59C515FF197CED497C4EE60533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:22.627{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8BAD56ECB9FFE43D0EDE82BB135A81,SHA256=75EB2DDE027965385F02FAB30C9ABB0E0D8D6C1269323008BFFB999695EECF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:22.030{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C010FB9E26DF71F08EF091BDE22AACF4,SHA256=1947B633ACF213A3E48CAF3BAF2B0166C3A75B30D5C7893F0B522947E929D022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:23.468{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E313320305ECD1AD693ED59695A4824F,SHA256=5FF794F627B574EB137504159E3631E8E8E4D996BF952800ED1974CED76F3B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:23.045{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFD4FDCF47D8EC4E1AE2D78FDF2346E,SHA256=EF1F787F918562A24CB2D1E86CDE1008E646DD148EFE16F6B9983774FC0C5834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:24.483{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ADF40BD7B69C4BB76DDC616DB802987,SHA256=F87E9E4A8DF88CE0EC3D92AF983021C7C087457D886E7F8CE1F8077619890406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:24.060{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D6EE6681F388DEE09761DC237AAE33A,SHA256=426BFC7696F2EF20C5AA35A6C5ADF1ED578C08A740CEB553039FDE3C65D4E77E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.952{E1BD9FC2-8121-609D-2051-00000000BB01}23363800C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8121-609D-2051-00000000BB01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8121-609D-2051-00000000BB01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.827{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8121-609D-2051-00000000BB01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.828{E1BD9FC2-8121-609D-2051-00000000BB01}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.530{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5587791307809CC864DB5B35824768A9,SHA256=5E828D81117087D0437F0F2D33B16A3A880A876E4D4F51210424D71806EECF9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:24.521{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51266-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000675969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:24.521{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51266-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000675968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:25.390{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:25.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6695EF57B00163386F54E0943553ECD6,SHA256=DA7B746ED348B8C6595BD24F6D981B5447AEBA0C3797F30DBCD6A56A7DD87D71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:25.106{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46286612FD02200836969EFBFDD3DEE7,SHA256=6E196FFF7353374EBA1FA3AC9A504271BFBD9F8EBBA6AB8CB4A2EAE093DC6CAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.171{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAB35CFDEC75ABC43C1138D365EAA758,SHA256=C403A2141FE1B838917C85633CC55C2080C9F26866FB4C3BBA061F8E5D41A1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:25.171{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE39C6C240544DC6CA66888B2EA2528F,SHA256=77121B7CC9A0C0D62B69EF6810FF1613F67DD91ADE7A5811291AD258AC124A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.835{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAB35CFDEC75ABC43C1138D365EAA758,SHA256=C403A2141FE1B838917C85633CC55C2080C9F26866FB4C3BBA061F8E5D41A1E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.788{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680C1476ADD480AD2B2B3D38B758095E,SHA256=0727E15B10845BF3ABC58BD9AC1B99BC725DC6025D1B76DFC67AF3313C421DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:25.620{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51267-false10.0.1.12-8089- 23542300x8000000000000000675972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:26.389{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5553A16C83F8625533385AA328D1135,SHA256=6927E3FA14469FC40C652E5FAB12970BA0837E7B85630B7A098CF8FB40B708B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:26.125{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A065825AFE5989EAD563AF6611089A5,SHA256=FDBE55F99BDDE4A14B00E6C547C1FA9CB3CF4681DB74C1FAA201479147564A22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8122-609D-2151-00000000BB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8122-609D-2151-00000000BB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8122-609D-2151-00000000BB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:26.499{E1BD9FC2-8122-609D-2151-00000000BB01}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000573700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:23.786{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52855-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.820{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9035B1B2C0CF02EE44855D8CBC16936A,SHA256=8538485D0E55A13E2B1D427313892DBFC43D81ADA3905DB3C69B5B7404B8D53E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:26.269{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51268-false10.0.1.12-8000- 23542300x8000000000000000675983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AF8474C39DE94C9D0DF554AC50049E6C,SHA256=867354B12F2B2640000494D153E93771D81B876E3F8A43F655C6BA43208E63D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E3B85498E2F7F1D61F3B4C7EC6AD4319,SHA256=E79BB6C51E35660130FB9D826ABFF13F038D8459140B8DC921ADC9E0AEDDF410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5AD856C484EB16898D72032A67BEF3E3,SHA256=B1CBB506AD0909A35440E25D2EBA5E66538E6539C04793F39DB7D08BD0E61E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FB2D4D5BFCA96942069FEBB0CD03D0E8,SHA256=415FB1CBB9EFE5A556CBA7D291107A6891738FACD318ECE306B1E02FF114153C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CB2863D8AC5210034615D9BA0062AE90,SHA256=28D96F9ED9A43D47409B54C68F3C8B292637ECA8D13FBFD6F58E2756E1BB3A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1EDC9489F4E93988FB933E3FD64F65B7,SHA256=CF6476DB3B0E6E232EE0888BE136EDBC2D8C67F6D64915DBC12DA9F957D76E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=07E8CB1AB3A15AAB8B6EE0324AD6FD11,SHA256=077E948BD19AF1C8294C8571188D8322B117A2E1C3C410955C6BCADC82B71FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.757{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=64FA11025F1CD2169FC647ACB843FDA4,SHA256=02AC1958067391288A238D473430A657F625F04B5B4018BDC28C69DD2A449DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.623{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1718AD782F218D6A925970502EE61B4C,SHA256=1D9F3BB4C6C9C6DB49F696B6FF405B9A6D6DFB32A4A07E88691E850FEA9F07E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:27.142{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6CFBAFF75484928CF9E42685967AD34,SHA256=B04CFD3FFBE6F159876244F22099EA887A6EC62F33FF46F8A60E7D064ADC1681,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8123-609D-2251-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8123-609D-2251-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.179{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8123-609D-2251-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:27.180{E1BD9FC2-8123-609D-2251-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:28.867{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0261C16E657A7C9CAB0ADF74826843E,SHA256=028C7F5246B21F9A7FA5E6C991A51BD7E07770A1A16773CBFC321AC290E67D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:28.179{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F624C2B91006772866533200C8CD33,SHA256=F90A46B768F733ED1560AF31DD0F75096FA1C22183A317C4F0DFACDEDBAF7448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:28.157{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC834AB821CEA38EB433E37AB893A1D,SHA256=087D1F3D9C74E5AB6E0E7A4D2EB853993CFFA72A5CCAC82D57C0052F366FA11D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:29.960{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:29.898{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BED5CF69D4B304679C338FC28DF0189,SHA256=F7080D1B8CC06EAA4717B216C143B1732AFE14BBE38F2A6B36AD983EF89EDF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:29.171{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A4234C988588E7D34D5D1B10DE3AFD,SHA256=291C0FB8E72DCD204E7420F31462A2B7C9D5363E1DC5AEA3F3E72168B6003F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:30.929{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE616D75DD9FB24499215D5D45C5E67,SHA256=7A7678DAA7117710245FFDB6194014868A05F091772EBF519975D5A9529F6B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:30.239{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93AB2644A4FF14B0C8496EFCAD7EB42A,SHA256=0500381EAA5916BDD1B1536AAA0107F059A5A4BA5A00884D138AF0D27E2441D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:28.826{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52856-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:30.288{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=371761CD534BEC9914B59044D676A950,SHA256=F7CB7D57BC61CA30D29291E9740A1A7CD8D81E33845967531B9653B31BEFD4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:31.945{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F20EA3B04AD25128BAEB689F7FC988,SHA256=139FB2D2EF6193ED490FA52E50C16DDE8270182B78DE38E8AF0A01B7E132D169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:31.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A886FA2EDF0084D48516A68E200D3EB,SHA256=416505E31467672D63D0EF0F2E2900E81CDBBD4FFCAE572A0932022F289AC1A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:29.576{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52857-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000573739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:32.960{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A10B0FE7D07F14B0E20F98844B3E7DA,SHA256=41DCD357BC02E2A55EA65C78277AB0BC5FE2AB3B818D250113B444A57DB7AA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:32.268{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C729FAF3A6A0DA2E1398770ECAA4D4,SHA256=E244024AD617FB1D99CC4FC1F8B11B66CEECD935710C03DAEBD26B65771A90AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:33.992{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C21B0B4B205E7FB324C0F1649CC6CC,SHA256=4CBE3B48614BD5B67E8EFEC9982C2923E883A76F44E52A686FEEE56AB7182FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:33.299{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AD37C668461B11FB9613377582DCCD,SHA256=0DEEAFF42A55788AB290D55960AC1D2D75625EBC1925A5FBF3790DF82EB79F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:33.037{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF0069576029A4FB36E07467F781A567,SHA256=D79948182F9A60130FCACC0B787476D1C41D7D1E67A0F52EF4E6CE10843C50CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:33.037{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4235419A3D2659BEE9FBBF0B910130D5,SHA256=EDD1FEF5084C9129B03FBA54688A39B0430F5A63A4764EBD929EE69CCD472C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:34.300{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFA224D6D7786409CF1B089F809FD3E,SHA256=EF984AA9F42E03A640D43A632F9F27BEABF2BE0EDBBF9118A445AD02815BCBAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000675993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:32.282{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51269-false10.0.1.12-8000- 23542300x8000000000000000675995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:35.317{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7592887D22739C7A204C0E54D44F0FB4,SHA256=30F00C47026EBB8731F0FC1BC0D17F0796013DCBF252E2FDF579783C95E2584E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.835{E1BD9FC2-812B-609D-2451-00000000BB01}38362472C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-812B-609D-2451-00000000BB01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-812B-609D-2451-00000000BB01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.710{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-812B-609D-2451-00000000BB01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.711{E1BD9FC2-812B-609D-2451-00000000BB01}3836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000573755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.163{E1BD9FC2-812B-609D-2351-00000000BB01}29042928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.070{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC47EA66956DFA2E229B2A74DF12836,SHA256=BCD7B0ADADEB057DB21B6BC51392FF9F1B708C8DB9AD2849AB38074B9A69DAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-812B-609D-2351-00000000BB01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-812B-609D-2351-00000000BB01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.038{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-812B-609D-2351-00000000BB01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:35.039{E1BD9FC2-812B-609D-2351-00000000BB01}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000675996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:36.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=517415892A40E4553996CEE0BFFC50DB,SHA256=010CB6B72F7D8F5C15B673C7F4E5974BAAC723A4308E99DB718A22201C5C5C59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-812C-609D-2651-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-812C-609D-2651-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.898{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-812C-609D-2651-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.899{E1BD9FC2-812C-609D-2651-00000000BB01}1064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000573787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:34.701{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52858-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000573786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.413{E1BD9FC2-812C-609D-2551-00000000BB01}2163220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-812C-609D-2551-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-812C-609D-2551-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.288{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-812C-609D-2551-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.289{E1BD9FC2-812C-609D-2551-00000000BB01}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.273{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E746AD02B4C7D145D48C972452A2D9A,SHA256=B2531737129E3E45D00171D5269FD5D8407BAACF2E39D939CE9A0494C0AAD3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.273{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D244697E7B28B369057919C6B061CB11,SHA256=A1EC357B61EA39533E6A6474274856A6681BC9D301A40BE9770BB59C926E200F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:36.070{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E583D920D2CF3DE17315952C801F906,SHA256=713D7E1B5265ED2D0E973263DF188ED89EDB6A9EE4E2F739FBF8168C5A6DFAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:37.416{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AF597EEC038E6C9C1A18293DDECFAD,SHA256=B636686873DE323B9A40FA5C57FB2CEB3E3D864DC07C7F983D8B832271130562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:37.416{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E746AD02B4C7D145D48C972452A2D9A,SHA256=B2531737129E3E45D00171D5269FD5D8407BAACF2E39D939CE9A0494C0AAD3A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:37.351{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=080B98C48A7700E425225CC70960A1A4,SHA256=67653ACC0B56DE9C78ACD4AF356CD8118015BD1FC851C750DDF650FF4D883F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:38.460{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FF01044324BDECD79B70932ADC671AE,SHA256=DED4B447A6CC8DC60EEF9FFE9A35C6166FCB4C9C8DD2E591D0E8F202C6091BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:38.367{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15977D10BCB510C157D4BA6AED1180B1,SHA256=F9B64A74BDF4D149E08E642B402EF37D6C6512F069FFA7CDE65D543CF14DF0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:38.152{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85E77F6F48B346C9AADCA6F3DDD3869,SHA256=FF5710A9EF6754AB6B16F5D4096AA25B11DDC447B10B60AB2207FDBF1962E22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000675998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:38.152{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF0069576029A4FB36E07467F781A567,SHA256=D79948182F9A60130FCACC0B787476D1C41D7D1E67A0F52EF4E6CE10843C50CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:39.509{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684C497587BF2F9C9EF4A1C21EE98EA3,SHA256=AEABB713F486913B0ECF48DEC87FB9E88B4BCF8883E29A6D22A7305EE7AF4669,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:39.949{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000676006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:39.949{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:39.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa812582.TMPMD5=346300475E448CB8C87FA70FBB77957C,SHA256=6E1B0925EC7B732FAB1C67727204BF1339A3240893B5B49D14944A94705CC7A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:39.434{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:39.434{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:39.381{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C127E1FCD6B8AACC55068ADC4813DA3,SHA256=6DF66F7DB3AC8D74D4AE56C9FE9CF461331586A32BCDFF389208D2B2CFC078E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:37.397{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51270-false10.0.1.12-8000- 10341000x8000000000000000676011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:40.680{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:40.680{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:40.680{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:40.433{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17F9B84B07A8470182915A93647D3F97,SHA256=E9406B4324478BC7FD640936B320E849863BAB65B4A2145CD206ABF40409CAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:40.509{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC9152C0D4EA956DE7E5EEB419BE26F5,SHA256=A11DEC3968D3D2981D7A25950FB5747308AAA3F541ABFE2ABD46A9A07114228E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:41.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F8912167E2F7ABEC316F8E94B07C758,SHA256=B4CF6BD6CEAD1D7AF17736E9928DE4D4AD1E7AAFF8CDC07F47C2BCD2DCA30744,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:39.828{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52859-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:41.525{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E406D78667868D39AE460DB1F6B0AB,SHA256=7ED9DCAFA79A25AFA0BCEFAE6D6C1E819C63C697547C2690FC43FFA530950B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:41.244{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6C56397DA026BA8A66B91E6CDF78D92,SHA256=14DF0536807BC6E9D06F60A6EFD0BE6FE1DB4522E4528A00EF82C5B1C2315FCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:42.615{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85E77F6F48B346C9AADCA6F3DDD3869,SHA256=FF5710A9EF6754AB6B16F5D4096AA25B11DDC447B10B60AB2207FDBF1962E22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:42.462{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179B8A8F75F11D972DED3A5E0D5200A5,SHA256=A9EEDCB6555D5D460F419005A46B1156F82AF6B7F84027F65B8A65D16B33207B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:42.541{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEAB281549B1F9C7BF9D604EDE8C619,SHA256=580417F1CC83427D8091C6DB78B5DB339E570D7F5E4522543489872CC5A36F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:43.556{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC009E92D55DFA8A016A645EA96E43F1,SHA256=FEAB40DB7C46BB0B5F7D5A5D15DD644A606B03486B799E490836183D1051301A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:43.530{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A08D2DD58A991A812487418D1F548C,SHA256=249FB9A702004353532602D42B816FE2D2F2D6E4A62CCB5C3EE6CCDD593E5189,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8134-609D-5656-00000000BA01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8134-609D-5656-00000000BA01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.944{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8134-609D-5656-00000000BA01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.945{7B03F3B2-8134-609D-5656-00000000BA01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:44.560{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F9E531E8D46B606E716C0703FEBEDF,SHA256=89E4E418CCBB9A267DBD7D8B2638B02711146CE8EB44E7B3AC5B8D1626AA68FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:44.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3BCFF7E150FEB68103711E622F20CF,SHA256=C64AE4C8BF6A25FF6C5AD94438C83BC1B4057CAEECDC647152BFCC95E5FABCBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:42.476{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51271-false10.0.1.12-8000- 23542300x8000000000000000676036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.959{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EAD988ED0B1954DD52B9D3A4188EAB4,SHA256=C844974A54B46BF9D62A295D3AD18C268923A280040F992C3ECA7A36C4528014,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8135-609D-5756-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8135-609D-5756-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.628{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8135-609D-5756-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.629{7B03F3B2-8135-609D-5756-00000000BA01}6188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.591{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3192809FEA11741D8206A6D51574575,SHA256=235D073A37DD5A471B7B7E0501B3237FD4755CFCF0D79120E2F859E2681FA692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:45.572{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CCC5D624B65D2A26448AC4EAE6537F,SHA256=333FB0D50AF31B1BC6A89BE50266640C16AC7AF72B9D57642C8125C4A2F1B145,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:45.129{7B03F3B2-8134-609D-5656-00000000BA01}38643168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000573815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:46.588{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA8C41079AEC089E439C5BD066768ECD,SHA256=15E7E6A8E72D261B99359BD6EAF1BB011BE3082EF4CD8E0B57FBEACAE50EC743,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.612{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26C709EECB6FFA9ED071CCA683276AD1,SHA256=307CFD9AD3650686469EAE36E7BDB3768FD81960057111BCE28E7B56A0B06DF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.310{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8136-609D-5856-00000000BA01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.308{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.307{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.307{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8136-609D-5856-00000000BA01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.307{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8136-609D-5856-00000000BA01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:46.307{7B03F3B2-8136-609D-5856-00000000BA01}7808C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:46.244{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A800336BB41FCFE60F8BB2A337D40FB3,SHA256=C0A0EE306A9AA0BDFA956E6DEAC0FFA806407060CA1BEC9702866ED91F8A09B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:46.244{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E3B7C728D925FE646E9CBDC3FCD21DD0,SHA256=34E46742C277B8D63D9DFD8543529157223A0986E482E2DD228A1FF86491BD75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:47.605{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E429FECE5D298D4CB0AF7C7AC5ECBAA,SHA256=4B25985671B4104C9A5377F55F7E9D7A07B4CC8F402A94C0F2A18C16E518341D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.928{7B03F3B2-8137-609D-5A56-00000000BA01}56043192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8137-609D-5A56-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8137-609D-5A56-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.743{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8137-609D-5A56-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.744{7B03F3B2-8137-609D-5A56-00000000BA01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.643{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B9E840A7BD34525CFF62C0DD6D0EA8,SHA256=5C3258731222D14389403D14F6717CAA8DBB46B794EC029681C56544732EC094,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:44.859{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52860-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000676055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.359{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D91AA7BD4A21C9545E8A84DCE2CA54D0,SHA256=0CA5A6F45AB5E5EC465EA9F5CF913D22BF47C47D1723EE325E24ECFB8B45007D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.290{7B03F3B2-8137-609D-5956-00000000BA01}79441036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8137-609D-5956-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8137-609D-5956-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.075{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8137-609D-5956-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:47.077{7B03F3B2-8137-609D-5956-00000000BA01}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:48.605{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0590B1BBA67417FD0B68181B953697,SHA256=4E2A8FA3553681F0E45363A4E5C745992E00376D1F6ED3E2206E669EA9787970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:48.774{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9133C441CBFE9B4A3E5F9A16DCF873CD,SHA256=A93BF06179BDC118879A9137DB3D9A2F4E36A3699E75ECF69F96582C5598B155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:48.658{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334B1D1748F38AB2356FBB3D2812F65D,SHA256=868BE4EB14E6108DD982CE8387F53432371DC9EBDC4018CF907D01B9A02186D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:49.674{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=849B1EC21BBE706BF7E75313533565DA,SHA256=C340F681F35C493C9889EAA050A8A0C517EBDE5629865DB37708739248A22BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:49.636{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1960A8DBB839BC1DEA8E343BD79A1F19,SHA256=0FA6F937AD7856DB054BEB3424212D5868FDE17483B5669FD77A53EF09705191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:50.652{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8D61EA907B8E4AE43DDF7F5851BB82,SHA256=CACBB915D5B20F6FA624C82D7792394E9210F16A128882E21451EAD8F2F0198C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.911{7B03F3B2-813A-609D-5B56-00000000BA01}76447332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.711{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-813A-609D-5B56-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.711{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.711{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.711{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.711{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.710{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-813A-609D-5B56-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.710{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-813A-609D-5B56-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.710{7B03F3B2-813A-609D-5B56-00000000BA01}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:50.689{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD40FD4289E5CDAEC2D3BCDC794AE35,SHA256=895CACD24CDFEBB5708F522806CDB27C4275EC14FEDF8A080BE9861697144E6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:48.390{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51272-false10.0.1.12-8000- 23542300x8000000000000000573823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:51.683{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27287B1EA5B1BFF0026BE2C9F5807AFC,SHA256=227096BAEDAAAB89AAFD474363DEC6FCB7FC0C3D1189826DB6E4273055702C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.726{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A0995FB4F086CDA7BF95D5A6A0A552D,SHA256=B9F0EE0C60FD3F41C222FD2CBB421A9650150148AE0B081F3D0BAD7A050ED24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.711{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=102F6E23C8CBA9FC7D70D10A635BFD30,SHA256=8CD2F98500233C3935AE0F6D6857BA05B8AFD00E1FBEAD7B9031B293D5ABBC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:51.277{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=242420EEB7B532B879F572EA3497FCDF,SHA256=80EF89E40384DB070A87B72B02CD1980F9EE4C51855416B22917A26AB1570C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:51.277{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A800336BB41FCFE60F8BB2A337D40FB3,SHA256=C0A0EE306A9AA0BDFA956E6DEAC0FFA806407060CA1BEC9702866ED91F8A09B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.410{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-813B-609D-5C56-00000000BA01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.407{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.407{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.407{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.406{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.406{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-813B-609D-5C56-00000000BA01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.406{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-813B-609D-5C56-00000000BA01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:51.406{7B03F3B2-813B-609D-5C56-00000000BA01}6472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:52.699{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CD9CD4FA475E7117A6EFFB78D81C9DD,SHA256=C5D7BB5FC48601FC57A60794361E859FB78EB435DC07DAA1264B060ED1DA73CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:52.725{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F497E76DD1783725B39B4414ADF0A2E3,SHA256=E9262D772941565D4B4FA89DD3E9E9DCCF417CB9413D8F00D37915B466EA25A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:49.892{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52861-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:53.745{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4DAFA36916C4911B08C61CC37D86B3B,SHA256=5C6C56220192D082EB406F14FD72308C3EA5D35FD7DFBC7AD9DC1BE4B52DA78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:53.756{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A284576A8C33A1E0BC6A43A65DA607,SHA256=6FF43755A721F5BAC41B124B84C00BBD121F1173D0CC19A2CF75AA38FFA13214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:53.604{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4DD70F560EAC7AF78B89ABBC4DEE8881,SHA256=D6E54B9BBA6827E87DD8A3F4BB7E0473F7009F49C4078E2AE4F134E4453DDFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:54.771{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CA85FD5C97F1B9DCC79416195A30F4,SHA256=458BE11C0313F246A90BC1408580D97C8D6E8D332FCB2ED4BB9EE490E11558C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:54.761{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E347CCEA7889DF2BA29E2A0662235FCB,SHA256=D1626D52564A4FDF3A1651F3B01AD017E71CEBA3365E128E626F0E674C787B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:54.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=103E142455953C8F72A3318C27903917,SHA256=22F170B7D7D4D5609269EBE1812892708E135D291154F5173C94ED6CF8556BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:55.786{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3847CAB6EBB0CC680D6A21FD4061A424,SHA256=9FB275BFEBE5C1C0A1FEA50EC10F3C887F5A8E3EABAAB2FCCED130F6AD54E62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:55.792{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDD9A9BD805ADFDDB9B83DE8962DF57,SHA256=3955ECA4A8EE9B1BEDBA86CD04396749BACAE14FBB834AE10B4029FF4FAACE21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:53.421{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51273-false10.0.1.12-8000- 23542300x8000000000000000573829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:56.792{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B9B945DA1A1276677F32D4C2290FE6,SHA256=51B4BB76A03131694BFC86E179DECFCAD21FF734A1A56DDA049D6106D80C42A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:56.803{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C463DF241E57225F72A332434303E1,SHA256=A2897B9673CD39F479FD4046C00BF7347F9934D6FB3ABF6EFFE88B1DA571CD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:57.823{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6A6187F70DB0FE37DD6E1E4A2E748E,SHA256=13E11C4A2E83460D3D9AC17507C3E9019301023F788F5CE8314202B0E843218C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:57.824{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B531F9DF2C076E310D98C185FBE2579F,SHA256=77EA13A9DF1BA2F04237C540127C8BEA250114464F9F7EBE77BAB2CD12EAC76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:57.120{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2298184AEB7CEC9A56047775C28F7534,SHA256=C0D9C173726C574E4B68404AF79E26EA0C470E14C1AEA4DBD47B4E562306845E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:57.120{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=242420EEB7B532B879F572EA3497FCDF,SHA256=80EF89E40384DB070A87B72B02CD1980F9EE4C51855416B22917A26AB1570C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:58.839{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B6F0DD91F0B6E59B03087FF93FFC332,SHA256=D749F2A5F4058CB6263D066910EC1C8E8109210C84128FAF190A717A7AD39B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:58.837{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFE3F14A648E2D61F71BF67D62D2AD2,SHA256=8B128965AC06500E6FE593299507CA67CDE982EB8CBE3624BA3640E45081F05A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:55.720{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52862-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:42:59.886{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B71C630395F53A4DCADDBE120CEA72,SHA256=24F82BD848CC3255DADC975CA84771AFE4DC9EB939C3397687475BA82001E84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:59.853{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44279C31D1AC6CCD9DC8BBF67F68C8BA,SHA256=7A4F9CFD494410781CE083C5DC6941594D41C74F0D3210D00F720E897CE5C8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:59.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69FEC443ECE539005BF713C67A2E1A0B,SHA256=B7227728A7E5781A732CA04B04B624817DBA5AD15355DA9CB4EEEA494FA62EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:59.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AB548F2DB359A055C599C04125951F,SHA256=AFE3BA22B91910AD5FE521F27E81A7874BAAA8DA4CA28F0C95531F76A047DE23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:00.917{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47760168DC4721A2D2EED35890EF6EA9,SHA256=7556B2B96877F128FCD19BF5CA6263A8E000BFE22C15CD9E6DEDA193B8976106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:00.868{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959C103A18990015DF424CE7C43A4E41,SHA256=D070724586C124E4A79D7B3976C0E34AC7DDCB41C22E6C5B927E82E32334A2EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:42:58.449{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51274-false10.0.1.12-8000- 23542300x8000000000000000573837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:01.964{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96461D3B77D611E208E13B144128157D,SHA256=E9CC2E396AB72410E9AD84F6DF9DA5D0553D61B075FAE042842BCD29BFCFBA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:01.886{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5C3287B068506DD0BE5C59B628BB23,SHA256=50E37FCFD29F5DCC1D90E091DC2FFA24448C816B6FF237529815DBC5017FB923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:00.332{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54158- 23542300x8000000000000000676105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:01.104{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69FEC443ECE539005BF713C67A2E1A0B,SHA256=B7227728A7E5781A732CA04B04B624817DBA5AD15355DA9CB4EEEA494FA62EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:02.964{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EBF16583949DC3BBA013C3FD6C152F,SHA256=A172533E949344C5E2964B691C78661161B429A7ACDD3D2B032BDC43EA70AADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:02.904{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01426152CB793FE1F776EABFE06DD0FB,SHA256=CFD34AFA126A514163881836885F6560BEA3DC152864A11E5AF245D6012E0864,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:00.736{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52863-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:02.136{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33AEE70B90F1D40E6A0CB53CCD8DFD84,SHA256=20D11A0521E085D04E55741882375DEEE2B0CCCF7E7CA617F8F93C5C862375F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:02.136{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2298184AEB7CEC9A56047775C28F7534,SHA256=C0D9C173726C574E4B68404AF79E26EA0C470E14C1AEA4DBD47B4E562306845E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:02.639{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16030E76A11EDD52273990C43D9EF0EA,SHA256=D9792C967DB3F865236B5E309C2C1014BCFCE8F05ABD06F572D1BCA5DB3CA2CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:03.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDB46A88C4295058CDFBF52A4315F008,SHA256=9076C41B9666A2BF7F6FD625E23798FDFD696E5A2976BA480319821FED687E31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:03.995{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE67227F75F8C9B208044D3733EE8B6,SHA256=D43FA6F5B554909846F534E3B733EFC76E57051960479F4AA842F3C1F34E6C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:04.937{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7353A9284DF4914599A74E46A38E7B,SHA256=1ACED74EC47CA45BA26ACE7747C773B73C16368C0BB228E8AF36BBDFF541803D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:04.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA536CF39F3EF66E973016F7A623E0F0,SHA256=A76EAC3686D29959657DDAF069E06621A527406B9F8FE3C588AED57622741311,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:03.468{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51275-false10.0.1.12-8000- 23542300x8000000000000000676113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:05.953{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F365A333F7B8C0C7EDAF5B87AC0E575F,SHA256=46B29E766D6D563C60336F5A36E078ADE11F33C677D6D941CC755EEEF49A689E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:05.027{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265270F8876D45A0B0FD6C80D4236244,SHA256=8276049F21861C3973181F17A50D523D7D5BA0541124E69C3FE21DFA7529BA4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:06.953{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47C6F57532220217E173A20C3322532,SHA256=9684F93DFF205EC01498E7ED5F5F06595964BBB9AE53771B635A23FBFC52C98D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:06.027{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B163857253B8ACF6E6E6C485B226E2A,SHA256=0842677CFE27849650BE15EEE3733D143F3DF9DEB85F688A4D61324E67615FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:07.822{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBB0732CE2F30E0F4EE3B8ED8FEE863E,SHA256=BED7F68C2EDA8ACF332E7F94C5819141844B8E88CD3FEC661917AF6290DE3C6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:05.783{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52864-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:07.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01FDD17031F7ED0FCF0F3319AEA71DED,SHA256=9A81320905C62D89E2B0B5111AA84BF00CCFF8BD0A91EB483ECE42441E7DAE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:07.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33AEE70B90F1D40E6A0CB53CCD8DFD84,SHA256=20D11A0521E085D04E55741882375DEEE2B0CCCF7E7CA617F8F93C5C862375F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:07.047{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7A2B0CFDA71C857184DCFC92FA27A5,SHA256=A68BD56565D84C79DA512B22977983B7A25A86ADCC197F389F1410B4E10597F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:08.003{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0037F0167937DB0BF25BCB33F0393A9E,SHA256=379706A8C8739061F85895F14EB7B933687C94B6917B228615AFFC2BD68115E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:08.047{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B09A9B3A8403B5F63162D4CC35EDD5E,SHA256=AF1853053A9B5D900B4024714ABEB879FC8FEB3921BC4D9128C6C0F73765B3E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.520{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.021{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1332C76B526B21052C1B9AC22F8DB60,SHA256=ED034523D76D1AF1D242A3D4C93C8F54A33B612F02AAB3115A04916C17E6A6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:09.532{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=0E0F49D1C7E893BF3BE046397C755D20,SHA256=0F0241B2207929295982C134DE41CEC1ED5D47A8C1D377A95F577C067AE279FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:09.047{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B104DD710EB001417049A41C9BBFD4E,SHA256=F8C6AAEAF6A161989936590DE7E3F926E2B2EB3034DB2EDE105ABCDAA7FB8753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:10.481{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4069C5D094D42C1FB3BD491899D11A,SHA256=B72B314A0A538CAAB09FF211E36695F9DE86E0EFC461303B48E0F6474362F26C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:10.481{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDB1E717E84E4AACA08C887E95249B64,SHA256=8F457F5668C681D8F3EF3E50B522C0D0321463CACDB70FB9745286BD1BE9F2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:10.063{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D272463118D206329F04340B30C819,SHA256=318BD760015418C650E62E6E92F5263CC8DDCC12B306160B4306D7D2FECF61F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:09.297{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51276-false10.0.1.12-8000- 23542300x8000000000000000676157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:11.518{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBBB83458BD5BD3ABB7A4405BC66DEE,SHA256=BDBC1F80B6EC222C176F7CB6651CD59868988F9AF765F12B632E8AE81B2B1A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:11.063{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2186D46BBC6E0A51673D4466D46F1E14,SHA256=A182CF0F53C1CF1CC4DBEB08E34F8E109DAF43700F2ED27D61B572DA91B2AA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:12.533{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76E8747BCE3DE840B91F52C4FA32BB90,SHA256=0C15F679111EE409C52E505DC58C8B8FBE7C590CD30E63A3424CDC39F3229EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:10.850{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52865-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:12.344{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320AA472C490206AAE87E239C1663D66,SHA256=9D120CEB9B0D661681F5D40ACEC7285272492A29B206071E3446B3A45CCE556F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:12.344{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01FDD17031F7ED0FCF0F3319AEA71DED,SHA256=9A81320905C62D89E2B0B5111AA84BF00CCFF8BD0A91EB483ECE42441E7DAE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:12.125{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6733B8C0E459A72EDC5C2F35A7D7D8E8,SHA256=2E0CA37598710AC43639AF1DAB31A1DCDDB2E44B23CF5B7A8F88EE91951082AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:13.547{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1B445374FE25B4A2F7A65F587643CD4,SHA256=D5FA797D147B530BAF0CF4082DDA06655FBB657BAC28A792B9E19EA854A81260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:13.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A4E0641E2350EC263115352A521EAC,SHA256=FBA30BD75E963F758AFCFBEC49FF6ED9044B29275896CC32ABE801C9D060C663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:14.577{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982A7CEB0667A6928B8387537E3CAC1C,SHA256=2DE2D5AC4A7702A987517D911E9D7E3CEBC8409F4ED0FAED04CECCC6BDCCDD87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:14.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB02376993314898A0197FA31311E33E,SHA256=A57B87656B0AD9C71C4D222D2887643B64EEBE2F80A4CD33D320CCAB30ECE045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:15.613{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECA92889CB4E90F8DB47FFFAFEF6B9C2,SHA256=DD54EFF7315C4ECC383F7579A57799FC002AAF1B7D039D8FAC308044949E0DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:15.172{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2472B023AF17F4F8F7167752D49EA545,SHA256=0683387EB4989F9829F71D1AB2F5960CCF01F289937C73F52CAB6B383A683AC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:16.627{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C790D9EE1C25CE3AA4E1CBC93BE17F8,SHA256=836DEDB00D5FA5F0AB802F5FD99898E820FAB62541C7229D6B62BC5D30D70021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:16.266{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D3E7450313C193D19846A2CF51F8D3,SHA256=117FA0EFFEE61B74821120332275573DC394E22E3723F4C7493A5D1CA9C7580F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:16.097{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=636039EB0DCEE17FB4A2D8A817A9909E,SHA256=BADBA9D8274BAD86239207C75D57FDFA59207BA48C4505CA7F71D8D37C89021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:16.097{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F68E907ECEF12BD951A03AB7E98BEDE,SHA256=708D310C33A01C3E475E5918653E44DC11FB24C12EAE3CA3651B7F7CDBF955AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:17.795{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:17.795{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:17.795{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:17.795{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:17.657{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF7E2429C7C3FE97E25CD7A5F41C05E,SHA256=F68F0BCECF973C92888D97E8953D8F96859B73257EBB6832728D7DF300350BE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:17.328{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A277EFC540FE2498CABB5707DE3837,SHA256=17A19B3E20D53ACFEC647BD3D89D4037EEDE854E3C910C5E096ED5E64FDDE38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:18.672{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A596FC14E5375567F53E008DDF8057DD,SHA256=32663A428127E772360BB245A7809C66A48EE42FB2D5C167069894E6AD36E831,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:16.756{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52866-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:18.329{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E383809156615A4F5196B5274E2B2608,SHA256=48BC194F3DAED0CC7B66163DF4E466A168CE8C62CF777CAD6BE89467C4D132DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:15.322{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51277-false10.0.1.12-8000- 23542300x8000000000000000573864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:18.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DD96A6CA9FF6D5FD66B113815092A17,SHA256=805D4F668D7591AD31A165E9EEED3E64C541FD4FE1BBD26B4DB32AF6B2761702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:18.141{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320AA472C490206AAE87E239C1663D66,SHA256=9D120CEB9B0D661681F5D40ACEC7285272492A29B206071E3446B3A45CCE556F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.809{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89B9A01B52D8C6E30807C8B4349741F,SHA256=BACBC19895B84BF231FBFA91903D50EE2C9B0268CA412C79ACBCE9FE4001644C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:19.344{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7252A338CAEC94BFD4DB3BEEA94544CA,SHA256=5C6B55205862D5986B8EEF90279EEA91B281DDEFF57AA000BAF9D0D63D42C570,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.489{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.487{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.487{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.471{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.471{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000676211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.471{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.471{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.471{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.471{7B03F3B2-31A0-609C-522D-00000000BA01}18768056C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.456{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.456{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.456{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.456{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.440{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.440{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.440{7B03F3B2-D0CA-609A-1200-00000000BA01}3881592C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.440{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.440{7B03F3B2-31A0-609C-4F2D-00000000BA01}9683428C:\Windows\system32\taskhostw.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000676198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localT1042SetValue2021-05-13 19:43:19.408{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 10341000x8000000000000000676197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.355{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.355{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.355{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5D56-00000000BA01}4544C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-1600-00000000BA01}13041344C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5D56-00000000BA01}4544C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-319D-609C-402D-00000000BA01}22881868C:\Windows\system32\csrss.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5D56-00000000BA01}4544C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.340{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.314{7B03F3B2-8157-609D-5E56-00000000BA01}2692C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7B03F3B2-319F-609C-E1A8-A20100000000}0x1a2a8e12HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000676183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.324{7B03F3B2-319D-609C-402D-00000000BA01}22885884C:\Windows\system32\csrss.exe{7B03F3B2-8157-609D-5D56-00000000BA01}4544C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.324{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8157-609D-5D56-00000000BA01}4544C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.324{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-8157-609D-5D56-00000000BA01}4544C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000676177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000676176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000676175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.293{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:19.156{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=636039EB0DCEE17FB4A2D8A817A9909E,SHA256=BADBA9D8274BAD86239207C75D57FDFA59207BA48C4505CA7F71D8D37C89021E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:20.823{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97E99E9516C68BC71322F9E04480594,SHA256=FD949F5266FDE08DF6500E3CECCC5596FA1A02B4E13D5E56E2690ADDA9130FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:20.344{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C54A8801EB39DFEC27C2EEAFE92720B,SHA256=21656569EB39A1D709A5076516B7E94BD1C2F738171181E79C4728560E7F39EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:20.308{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B1F702E46F853931AEE463B0AE8C730,SHA256=1AD69E763BBE66D481F121C78C7FB38D725B60F1A5C2522EA0F2EC534A5E06E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:21.407{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB0FC87D89C3CBD909B182B4D0AF1C8E,SHA256=62E35695C1063C7E9B4553934FD2A5E8F26DB233403FDF95F410E9B14322783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:21.854{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E8125F28EA7C01E9C25B79BF2AFD53,SHA256=59289C90B05EA736484457985323298A5989AD3D9BA1A5C1E98C843C9CF0D265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:22.855{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B0F1CC6AD9A8EA84B49A85CCFAA9BC,SHA256=83D8A37C75A2AE62B4C2A81CF8BBCB1436288BEF73C03F6173E5ABA1520FA5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:22.422{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAED6AAAFF8D453DFA9D225BE110C4B,SHA256=7D02CFC49EA952C210711CECA45B4A11081B7832409B0F005CA9C7E3430C0966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:22.655{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C72465E196249F603D9C003A4EF4DE1A,SHA256=74DF8D63176C89A317A7BC79DE4A670DA2120D73CFCAD42D0A9DB6CBB431790D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:20.385{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51278-false10.0.1.12-8000- 23542300x8000000000000000676224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:23.887{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A1FA621BB5E6E2A648A42B7AFEFBCE,SHA256=CC1C23E1E5792DA3198123B58F1488B5CCB9DF6C1ED4C390EB28FBBEB094AE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:23.469{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DAD6CFC7AA83CB80D60894D708D853,SHA256=F9E9F89B38FF563679E46E07962276A817DE7D02F60CF51299CFF6C00DFEBF83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:23.235{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D74FC497A639A1DABE641BE2C8615B9A,SHA256=B188BDC465E0A0CB758460E71046093D05391A2B781C5678DB686D4302FAE0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:23.235{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DD96A6CA9FF6D5FD66B113815092A17,SHA256=805D4F668D7591AD31A165E9EEED3E64C541FD4FE1BBD26B4DB32AF6B2761702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:24.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEED49EB6B0397C802EEBF7EB8467A9E,SHA256=A8E31E890E32C54E628DD1C532F6E63CA55655574C58CD005FECDDF37F3F60F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:24.485{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F3B7B393C30D3687BCDF0DB3A9ADEE,SHA256=523959131ED039869FAA18FA5AFC793618583FF48B575BD49AD76056D082DE96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:21.803{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52867-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000573889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-815D-609D-2751-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-815D-609D-2751-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-815D-609D-2751-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.782{E1BD9FC2-815D-609D-2751-00000000BB01}820C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:25.578{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7715F2DF9395484FACAC1995BE81FC,SHA256=332342A9602AFACECF41F831AEA897A85C858E14AA5668BCB2E94EA7C506514A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:25.406{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:25.307{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E76A7EA00D51CE35255E76AD41BF59D3,SHA256=6EB1D5962F18AF69DF960FFEA9FD68740BA93E8832F34B69EA9413645753A846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.919{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D74FC497A639A1DABE641BE2C8615B9A,SHA256=B188BDC465E0A0CB758460E71046093D05391A2B781C5678DB686D4302FAE0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.919{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F3B5957ECA9B436782A0C9729A3CCC,SHA256=EFB88F6B369327CFEBE8CFAC01332C2A451B01AD65C37EA698C27DEF44F33840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:26.405{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D036CBF7B1C3CAB03064D7310B3B5052,SHA256=17A66C23D937A874D9F723799821131B94A2362E4106B6D9C9293989A57D85D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:24.531{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51279-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000676229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:24.531{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51279-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000676228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:26.021{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429CDCAB9E9EE1F3F4D66B59915E5379,SHA256=464011F3BEE177C13A4B5CC9726503BF6F10C3F6597FBF26AE2853814B90D2DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-815E-609D-2851-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-815E-609D-2851-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-815E-609D-2851-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:26.454{E1BD9FC2-815E-609D-2851-00000000BB01}1848C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.950{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7F477D8D2F955F6372E113133A62BC,SHA256=34C6E9B405411C2DD4E8DA1F6E94E247E29E01FDF5F55F938DE5D137B318FCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:27.668{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B260D15CE823ADAF24F7949331FDF97B,SHA256=73933E36FC0D9275F526A4F8CB91561AA61E4FD44BD6260F8A9B227129A3AD70,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:25.636{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51281-false10.0.1.12-8089- 354300x8000000000000000676233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:25.430{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51280-false10.0.1.12-8000- 23542300x8000000000000000676232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:27.036{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A6DB4D0DDC7B095947BCAEE56610D1,SHA256=5F4C363F39BF8C74A63012A567C90D5D5BBEECE8917FD68F3A3838E7738E8CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.263{E1BD9FC2-815F-609D-2951-00000000BB01}25001648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-815F-609D-2951-00000000BB01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-815F-609D-2951-00000000BB01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-815F-609D-2951-00000000BB01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.138{E1BD9FC2-815F-609D-2951-00000000BB01}2500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:28.086{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34A1058939D11AFEDEC5E3729B0449B,SHA256=4F07E4FDC8D302A153CBF3C9FE689466EA6C094B324FEECEDEF8049D55495062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:28.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=438654D95551FE44D11ED3052CFAF9A6,SHA256=98B25CB4D81F45FE0EFD49D7F6858CC7C6453D2F326E409A4ADC339CB96DE568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D79E14249ADCD38A074D7B0DCAF5A1AD,SHA256=40ECD3175B8948F0DF6DBEAC02A0972A11A9542A19ACB2917508F40753FD7D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6EC22BDB9E76399399D8C13817D86054,SHA256=7016D86D61E5413943B327DC0D1371972D49C9D75A5F15F074BA58E9E748B046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6707685B9180FD2FDA9AE3D751971EA5,SHA256=07B471DD0DBDE1A8F5472B9691A12BF704BBF1D5C855F5D600B07ACA9D85EC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C935515FEE0A632304B5EB2D3CAEC1BD,SHA256=ADAD94F06E7A4B65B2A9C4ED1C4838ED0882C9DA831B80407FE6404F5E1A134A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B8B44AAB1D17AE1A16A8206893971ACF,SHA256=760B80B6AA8B7BF370DBC395EC5107852DF5D7C6AA2FE61AA946773C6C64E290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9BF5D269B16ADD7BA6E38859100EAF10,SHA256=3E7CB8C2450680501A28B108D3FF97E605564738A638A4F489634F81D0150256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7C281B1871821C7FE01E9D63A285F998,SHA256=E9D11113E3FB96A408CC7AEB25BD5398F136FB812C90035B8CD26E79BB190228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.949{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BB46B764BD516B44946954A5219B0B82,SHA256=30243274FFE6E93F0B35A3CDB5E8CDE3EAA6DBB21213643D4F1EA50DF0B90B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:29.150{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8D36077A8B548D15AD5C891B957262,SHA256=17E1083FAA805684B7DCEEB7C28374A8199487A1E6EF4E636D73275D7F6ABF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:29.981{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:29.013{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93381550969F9D6BD612760BA732E00,SHA256=838DC84E5D365AC7268D3A73571D99A89EE37E7AA553EF958197A1E343F9639F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:30.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8A79604FC41B2A45503600A4D46660,SHA256=3010696DA1C468E6F073BE37D3DDC6D5C3B2C89FA0607D08CC017F74B014BBC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:27.753{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52868-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:30.028{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D346BF3EC73F890FF9D7749D5CD04D11,SHA256=E8DFFF3F3B79B60AC6F9D470A674AB2CACD5B6A86E9B60C422A0C4B1B55AD4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:31.233{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02DB189C1C48668380FBAD363B94EB5F,SHA256=8BC5605D5D57685C02EAD94016C1DECFE3EF7BFCEE13C998110BEE01C9BE8DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:31.182{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05F37C32E1BCE023A55923285AFC627,SHA256=03AFCD7AF7BB42825E8FD451E1C48095475350ABCA56134031262845E2D769C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:29.597{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52869-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000573926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:31.060{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06BD9EB2CD9EF230C5E2C8D34D5AFDA1,SHA256=0BD06733A3DB45E11F360303669588D289BA2E9333F86B9AE837A51324B8DCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:31.013{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2161E6832F408697734E991CDFE12CF,SHA256=4611DFD85FB4EE1CE793D34FA5693344FED50BCF33D4867125E16B4F9C57EC50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:30.463{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51282-false10.0.1.12-8000- 23542300x8000000000000000676249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:32.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0E9616A8BE9552930BBF3AF7D8448A3,SHA256=4FA4E1AB2849A0DE442BE1FC2C32C7604D455A4CA26EBE0DBF41357EED3772F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:32.106{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C7BCB861F373881C5745D5B23662768,SHA256=0E76AB18BE25182BBB29683D4FB85B83A92522B255B39A5E7CF3687DC2CA3D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:33.246{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163064F7D298ECD0A2AC3BA867852C24,SHA256=137F454003C3D9FD951E68F104A96AA0882B2FEDC7FD549DA3CC205031EAC6C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:33.122{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3797C0CBFD3B26EAB45002D63E38ED,SHA256=22199D81FCE2DBC05C9614723A5FAC0789A6F23B9F3B8C07EFBA2CA1C7366148,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=06F08F0176CCDBB96372C0B969467817,SHA256=9B396DA4A987EBBA773D8FEC9B7C04BCA36EEB11F4C75EC2D7D17DD15E6F0D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6667F5B77FB4FA75F2D5CA7872AC1F61,SHA256=7A7B4EB58D90E4E8DDE57728AB6543CDEECFEFCD0612E53E60E998E08483630B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5B51F03E7DD83D96607E56B04640B88B,SHA256=C9E54B24848839C9B4ABB7E65F2341EC3C36ADC3E82C8324E3BD1A63C8719FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CC995FB56BB50CDE5D2598F6858E2AC0,SHA256=150D3C5970CCD5ECCAE77056518E2F8E69F506CCFBEDCB803DF43C43E0FF6CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B88BD740EEEF894B1233F63B46AC1E9E,SHA256=F0DFD0D7D942F1478D7B46AE730A935AB3A2B11979CAFD45CE3DACD2A949E2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BC62F3B85605BBF90A79BDD57F6E9FCC,SHA256=5745E642E431790CA631D47D277939E8B6CF2E860EC78238192D276BCF057687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=801E17D2D79695567187C5EE4B9EF27A,SHA256=672A2EB6422EEC5E0324DDC705D39EA6747F1A01C00E6558211D17C39C418D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.959{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E58C78B429CCF857BEC2BF3FF7457064,SHA256=7FD50581AE60BB31B11103DE72F96B19AF910247CCADB085B51775A475A1F8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:34.313{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51E6C95489C5D2F9C7E9802F7AAF087,SHA256=D4DF3A8D697ECA4CDB55D819FB8DA4B29B03890E2FB3A3F73BD55F22495CC723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:34.231{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E412924B806169348A14170BEE28702,SHA256=704CB4C12DD227FAFF7C0B097D01BA6A3F473B4415F7A10D771780F1A4D7C594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:34.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AFB85E6E38E29C87ABF8F1FA0E7176,SHA256=9DBA741225950D17D757BFEA0061D585B6B41C51DD9E731506A6CD86BA8D785C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:35.328{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD00DA93DD90DEEB41D311E454996311,SHA256=94EBAF0A95B2B1DB0F66E157A4D3DFF9832667445DF40B53561933ADE75B72B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.763{E1BD9FC2-8167-609D-2B51-00000000BB01}31842792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8167-609D-2B51-00000000BB01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8167-609D-2B51-00000000BB01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.638{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8167-609D-2B51-00000000BB01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.639{E1BD9FC2-8167-609D-2B51-00000000BB01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000573947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:32.784{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52870-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.200{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B855D720EC3A7430051928378E2D82,SHA256=68EB96779116C57A0B058AADD7FE7D661FECA61BEFD466DE7724647350AD6B58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.185{E1BD9FC2-8167-609D-2A51-00000000BB01}9282504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8167-609D-2A51-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8167-609D-2A51-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8167-609D-2A51-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:35.060{E1BD9FC2-8167-609D-2A51-00000000BB01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000676265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:35.473{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51283-false10.0.1.12-8000- 23542300x8000000000000000676264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:36.343{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95033553C0D83D044F280BB5A267B7E1,SHA256=725450EC9DEE2171A757FA5091AD8E96FD5D7E7426CDC97847AFF1E88ABA2CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8168-609D-2D51-00000000BB01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8168-609D-2D51-00000000BB01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8168-609D-2D51-00000000BB01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.935{E1BD9FC2-8168-609D-2D51-00000000BB01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000573976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8168-609D-2C51-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000573966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8168-609D-2C51-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000573965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.263{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8168-609D-2C51-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000573964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.264{E1BD9FC2-8168-609D-2C51-00000000BB01}3720C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000573963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.216{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151DFA2A1EA9E2962FA882596F400746,SHA256=969FFD77DB54D130FB3A1147FC4770380D2D0DBF896D8F87DF604F978E762957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:36.278{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04891A2E48F4B618EE583881255AC6A4,SHA256=835502F8E3918AC3FAC2F773F988292DB7D98BC0B4AC854F0475A25DB3810A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:36.277{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBCB28E6804E7B3458A5C080661D57BE,SHA256=6BBD514092E4AE4AEDC8C6CA907AAC8233E3DA0AE68F084B570AAB495EBD9B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:36.075{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E9F1A288BEFCFC4A5ED68A8644E0F23,SHA256=C4FE7137CF3FDB576E0F22DC756AADA16FB3EA52DDD3E97DC43C6B7143618324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:37.360{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7219B4CAF97F484D1CDAC9C592F3ACB0,SHA256=A4B9453253F1AC0A5A6182340CB7DDD73C5C46BDC8CE4C99406E53E482B122E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:37.403{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EE2D0156917982637ACF1438C5C9D5,SHA256=CA36E1B70B2498243B4F9165934640DEFC35C0D5D4EDBA666A9F091060A09E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:37.403{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3119CBF64453B9414C193E3378753DE9,SHA256=CCA42DF194DCDF65B2F24CC52A64E98EDECD71BE2E6D5BC08FC60FDADFA4B522,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000573990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:37.060{E1BD9FC2-8168-609D-2D51-00000000BB01}36723256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:38.413{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB3EC1DF4087F5DF5323818C5122EF2,SHA256=C86E0928001F414E7CD9128A7CAE29E20A26971B37BF3A6948FEF61DBC68FC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:38.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DC1FB0887876D1546B283B3464C8AF,SHA256=702D41A3872200A6108B64AD74A3D13D1D39337C64306A61E32166B227265AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:39.443{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496285F321E802F08BF047625FF302D6,SHA256=4885E5D925EC7560085D38AD77DE8C583966E78E7E569CBE6CAD3D0B3F9B5151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:39.422{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1225671E963644E7259C226429AA554E,SHA256=4978E0BA0D16BC17AE502BD0E564E99963A5850916C9964B387435FF5A8A3275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:39.265{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A71BF0075AE8D0C51D176A9A253A392A,SHA256=2AF8864BA45E87755E18308D84D8E0CA2AAE4D2EABEF35C81F6C79DF5E1D565B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:40.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD73231F17E9048F67721DB76EBCBF12,SHA256=9A74739BF9FFB6760DBB09C4567127B25AA55295D6EF7605CB7D255F4747B4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000573997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:37.879{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52871-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000573996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:40.438{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79813F03791D500410A1D364A06C3D1E,SHA256=2622AD02A0A00FCD311C63F35BFE93B670B0CBA36395A26ED7BAD29A859F7131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:41.438{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087B8558CD263E321E5EDD0A6D3B42C2,SHA256=18B35B0C58D01197FA1CE98BE3CE2B8E76D65FB542DFCCABFD4A6F3F0DE35ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:41.475{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0565353543F1427E963EC2E4128252FC,SHA256=562A68C4A56FD87138D82FCBA4B8FA5ADF58AE394ECE28607841B695ACC8F250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000573999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:42.517{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D0E08D10F55AEC510F10853FD447C3E,SHA256=D0C783964D1A13FF86A46212EF6D6B2E28EB6DBD836043C9ECAEFB76A4262A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:42.493{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3D10EAFF54D62144F0C78474634FE2E,SHA256=5AC83314EC96C189E7EFDCE838B1DD6262618757F04DA3ED0933EA6124FB232C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:42.276{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ED8C116E9AA56DFCC91D5DBEF959616,SHA256=0EBA2CE0ED087B0AB87CB0F1F7A4106143E3B7DD1AA1DBE31F284D306A51FCB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:42.275{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04891A2E48F4B618EE583881255AC6A4,SHA256=835502F8E3918AC3FAC2F773F988292DB7D98BC0B4AC854F0475A25DB3810A37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:43.532{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BED7E866BE36AC13C690AE7B0B5095,SHA256=0777F871C7553D289A945AFAB3D36AED24E522EB85C6B89B407DDFC3483841FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:41.502{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51284-false10.0.1.12-8000- 23542300x8000000000000000676274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:43.509{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A00FB3C527CFE299EAAC91FC3CE3C09F,SHA256=78DDB518C20C2556CE165985BDFDE8D1318A9545D0900D34850BAD452A4D5605,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8170-609D-5F56-00000000BA01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8170-609D-5F56-00000000BA01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.954{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8170-609D-5F56-00000000BA01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.955{7B03F3B2-8170-609D-5F56-00000000BA01}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:44.523{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B87EE1BC4C865E9CBFDBE461C74C0,SHA256=344D5FA0949D479646206A5F5F6B5A650E23D4D22DA371F1AB6812B727005694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:44.548{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0735FAB5C5F8293B820529A3310AF052,SHA256=74136FA20E4C2E234EA98758483007DF5905964AE60DFC2AD58EF783CE8F91A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000574005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:43.647{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52872-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000574004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:45.548{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=147B3533B2A2F44E1DB78D8F9A3CB499,SHA256=B2FFB9AC5F31582871CB0DF322DC302002EC4863A71A1111EADF122949DEA338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.986{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0ED8C116E9AA56DFCC91D5DBEF959616,SHA256=0EBA2CE0ED087B0AB87CB0F1F7A4106143E3B7DD1AA1DBE31F284D306A51FCB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.845{7B03F3B2-8171-609D-6056-00000000BA01}62605980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8171-609D-6056-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8171-609D-6056-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.638{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8171-609D-6056-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.639{7B03F3B2-8171-609D-6056-00000000BA01}6260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:45.538{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F12C3EAE8D2CC3E8402E9596A73BCC,SHA256=BC29FBE710512E2A5B2DF35FAF14169D650863CF1594309EF9640A32A6324C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:45.032{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0483D62C1ECC7D4B2BCE296486EBC0D0,SHA256=44AFD4BA8FDF18E6D2084FFEFE84DDCD3F1FF73E450F012335001F838C3AD671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:45.032{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DAABA361EF3864B29D7CBC6084B1845,SHA256=4F8EB935BD6AB05962A85ED865171561CEA7EA83F75EE85A7E031920EF4E8AC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:46.610{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEA3382421E86DC4CD8C5BE564EFEF5,SHA256=11E6048F980C49FF213350E7D7EAB28FA4B0C94AE9C159F0649C984669E9A47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.555{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD1B57ABD2C09A93DA695F6A6E38740C,SHA256=38F6F1242CDAEE5356C6E3BAAA4938661DB8C2079AA410CA083FD7D8F40CE0A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8172-609D-6156-00000000BA01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8172-609D-6156-00000000BA01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.318{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8172-609D-6156-00000000BA01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.319{7B03F3B2-8172-609D-6156-00000000BA01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.086{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CD829701496CF7E011A99501B3787251,SHA256=17193949D7E00734064341872A4ABB56BFEE3EC6DB705A6FACA9E807D50EBC32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.086{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=902A5E25E7B005C2F44DDECE6063349D,SHA256=6E77E9351B05488A148F41AA97A85C6CAF5836120E45640BAA73EB410ADDD1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.071{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7973F2A3020B979CC52B1C1EECE57567,SHA256=D847FD28B819ACE8BAC1518A5926386F123EC6E752D10174C24658DF39455B1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.071{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=80E063F3D4A39CC45F76ABF2B9767736,SHA256=9B1A8477E10FF08E7F801BAB794A896A6AFC6BB8ABA00C8669BC499AA8BDCE18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.071{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F1A6C8602F05923C2457FE25BC7BCAF8,SHA256=8C1757A3936F4BB036E21C663BF9CD686E1216F077F439B7C5B8947DC28540C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.071{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FFCE9F525657AFB8A0CA12B38D58A12D,SHA256=1460AE9A19089011F6998A353A090CBF905BC5D6203DE78B0C43FFCB22F99339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.071{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4AEDA67A93ACC6591DADED5D5D5A5649,SHA256=B7FDAF5F6FFFB46361AA98068B9D488956981677B4AB892AB9D48142A2E82E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:46.071{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=25B136796908AAE37E72CDE3DDDA9B61,SHA256=7C00C6DB570EF305D8FFEE507C767637C7D6C8D49BF48169E49705C723B3F50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:47.611{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D9A6C2D645A748FA24F74D21A79CE4F,SHA256=9160DFF8E2EBAA4481CF58F8E9AECCE7BCDDE88EB999485B66B5E454B3970A78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.954{7B03F3B2-8173-609D-6356-00000000BA01}26167376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8173-609D-6356-00000000BA01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8173-609D-6356-00000000BA01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.770{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8173-609D-6356-00000000BA01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.771{7B03F3B2-8173-609D-6356-00000000BA01}2616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.570{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=180C772550D8ED06B17D08877CC822D6,SHA256=64EA37925ADCC68A957B9C50B8F99FBD80C9B370052B4F6C19AEB6F1474C5E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25516B2D6102DC9AD696937F650D4B83,SHA256=4C2662A7F8C83AB42C2A3D0354A24EAAB43ED43B5469BA7F73E1CBB03EBA4B12,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.286{7B03F3B2-8173-609D-6256-00000000BA01}51765180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8173-609D-6256-00000000BA01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8173-609D-6256-00000000BA01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.086{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8173-609D-6256-00000000BA01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.087{7B03F3B2-8173-609D-6256-00000000BA01}5176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:48.801{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F5B4C3157A3EACF4F59ACBE37AA08E7,SHA256=381A9CDB23367125821F358084797A88E29C9B849C5309E634DE76DB79839E7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:47.415{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51285-false10.0.1.12-8000- 23542300x8000000000000000676333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:48.601{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33262B9DFF8208CF5A522A1D0656C156,SHA256=96EDC0A7FEE8F6F77F126D326A0FE4FDD1BC67A8838EA76A95C54DBD6987A20E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:48.877{E1BD9FC2-D2BA-609A-1400-00000000BB01}3882052C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:48.658{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C657B2E9789007840E919DC41FFFBE54,SHA256=AC40C9D54C03F7E9C26DB4A4808ED65A7DF5AB6409D9EF4A904649ECB20AEB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:49.616{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5834A973EDA9619F2E5455B2C5608487,SHA256=6945A69E9CFB100948F6BA0937F5C5BE111F71CDCC11AB73E09DC3566DE1D542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:49.831{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0483D62C1ECC7D4B2BCE296486EBC0D0,SHA256=44AFD4BA8FDF18E6D2084FFEFE84DDCD3F1FF73E450F012335001F838C3AD671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:49.690{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4886208BC1DA4F7F6EA1503C92219BDD,SHA256=5DB00D6649DB32507815E85E83A5E411BEFE125F046246D843965B7F7A05FDED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.914{7B03F3B2-8176-609D-6456-00000000BA01}76125928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8176-609D-6456-00000000BA01}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8176-609D-6456-00000000BA01}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8176-609D-6456-00000000BA01}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.715{7B03F3B2-8176-609D-6456-00000000BA01}7612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:50.648{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3793E717BAD88C41665A0AF533211FA0,SHA256=9B6E3E30D812DFD0CB8812E5BCF1E47CB5C5CB2D84B1EC5593129A2C21A2AC66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.987{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DCBE65AEE7A719D60D04C02A8F1CAA,SHA256=28CE08A44315C93FCDA0D8898C7872BE38AC45C3352CAFDC97C9A4288FACC006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-2F51-00000000BB01}3940C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000574043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000574042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000574041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-8176-609D-2E51-00000000BB01}11443376C:\Windows\System32\smss.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000574040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.948{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{E1BD9FC2-8176-609D-2E51-00000000BB01}1144C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000cc 0000007c 10341000x8000000000000000574039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B7-609A-0200-00000000BB01}3203636C:\Windows\System32\smss.exe{E1BD9FC2-8176-609D-2F51-00000000BB01}3940C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-2F51-00000000BB01}3940C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-8176-609D-2E51-00000000BB01}11443376C:\Windows\System32\smss.exe{E1BD9FC2-8176-609D-2F51-00000000BB01}3940C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000574027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.933{E1BD9FC2-8176-609D-2F51-00000000BB01}3940C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{E1BD9FC2-8176-609D-2E51-00000000BB01}1144C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000cc 0000007c 10341000x8000000000000000574026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B7-609A-0200-00000000BB01}3203636C:\Windows\System32\smss.exe{E1BD9FC2-8176-609D-2E51-00000000BB01}1144C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.925{E1BD9FC2-D2B7-609A-0200-00000000BB01}320840C:\Windows\System32\smss.exe{E1BD9FC2-8176-609D-2E51-00000000BB01}1144C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x8000000000000000574015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.917{E1BD9FC2-8176-609D-2E51-00000000BB01}1144C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000cc 0000007c C:\Windows\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{E1BD9FC2-D2B7-609A-0200-00000000BB01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 354300x8000000000000000574014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:48.648{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52873-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000574013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:48.495{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse174.27.152.255-64809-false10.0.1.15win-host-681.attackrange.local3389ms-wbt-server 23542300x8000000000000000574012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:50.784{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A33C1BE41155BF6C0AB25E7A3A89E3B,SHA256=5B5A97911A97C2F209F94BA96CF5F086583CA594E5A0EE028BA7E93182F675FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.730{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F1C79B5916C4F3C330FB6CA754C9AE2,SHA256=D695EC0789FA557ECF7726D30769FF28FD835122EBFBC552DC5E574EAA815938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.667{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4682695234803C0D4B6A27E2E99BEFBC,SHA256=52C43532B58A3F6A491622DA928C871797A0B230BBD9A2EA2D145B6D7FF8688F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2BA-609A-0F00-00000000BB01}9203192C:\Windows\System32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.909{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97547E80947FF5818CFE7ECC5D453D3,SHA256=40D19D065FF1D6AC755E8B1466B00F3C00A35ADB8775722601E7306A59FE85C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.909{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F21AAE6E09A18F1C95E84D0147CD630,SHA256=85F3B38700C74262BA0EEFB430AB21C25FC78AA60B48F5DDEC65D50DD904509B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.847{E1BD9FC2-D2BA-609A-1400-00000000BB01}3882052C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1700-00000000BB01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000574181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:51.831{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 10341000x8000000000000000574180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000574177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:51.800{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 18141800x8000000000000000574176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:51.784{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 10341000x8000000000000000574175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.784{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.784{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x8000000000000000574173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:51.784{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 17141700x8000000000000000574172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-CreatePipe2021-05-13 19:43:51.784{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 10341000x8000000000000000574171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.784{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1900-00000000BB01}1920C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2BA-609A-0F00-00000000BB01}9201472C:\Windows\System32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122964C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.768{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122964C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.518{E1BD9FC2-8177-609D-3251-00000000BB01}28123852C:\Windows\system32\LogonUI.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.503{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE1173AB1B9FD1927CC9427573EB4038,SHA256=26895D961C0913090B6595EC1298671A4D3CF87C4EC6F2307C960CA07C9EE121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.393{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8D47D2CD41CB76936664501EB93D558,SHA256=39010016108D6D9D867E58326C6A6BFDEA59B08F7E87DB65C95746D0B9944DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.393{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BADB956BD8F5A3516C953DC83DB96CDD,SHA256=1740991F0AC0F0B7C7D643FDDB1A61E42853549C7835D11ABB0FBF383136CEFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.378{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.378{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.378{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.378{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.378{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122964C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.378{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.347{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC446ACA47E66AE4C1030C0D200024C,SHA256=9C0F6DF8635A9E0FB9062BE62139BB412AD801EA76E52F44D62EC225C808725D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-8176-609D-3051-00000000BB01}38922460C:\Windows\system32\winlogon.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.334{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{E1BD9FC2-8177-609D-34C9-900200000000}0x290c9342SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000574118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1b160|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.315{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121260C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.315{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8177-609D-6556-00000000BA01}7192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8177-609D-6556-00000000BA01}7192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.383{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8177-609D-6556-00000000BA01}7192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.384{7B03F3B2-8177-609D-6556-00000000BA01}7192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000574108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-8176-609D-3051-00000000BB01}38923180C:\Windows\system32\winlogon.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.297{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a75855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\System32\winlogon.exewinlogon.exe 10341000x8000000000000000574089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122964C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122964C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122964C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.284{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.268{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.268{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.237{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122528C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.237{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.222{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.206{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.190{E1BD9FC2-8176-609D-2F51-00000000BB01}3940912C:\Windows\system32\csrss.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000574072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.175{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000574071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000574070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000574069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000574068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000574067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x8000000000000000574066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x8000000000000000574065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96f-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 13241300x8000000000000000574064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x8000000000000000574063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x8000000000000000574062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000574061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x8000000000000000574060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x8000000000000000574059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x8000000000000000574058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:43:51.018{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{4d36e96b-e325-11ce-bfc1-08002be10318}\0002\DriverVersion10.0.14393.0 354300x8000000000000000676358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:51.674{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52506- 23542300x8000000000000000676357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:52.697{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10F3671E1DEC3590FB9F8F8AB13B2137,SHA256=25C402DA655231A67AF7F2B089498FE73950F01A0C5A69139FEFE5F734C7E554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.972{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C5AFC7BC5AEA1E87F6F1B50FA1BBAB,SHA256=AFA95344843AD2FC65AA96945E981CE11AB55FAF83C48CB28BA28862F5FB8E60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-8178-609D-3F51-00000000BB01}9562820C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000574649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.909{E1BD9FC2-8178-609D-3F51-00000000BB01}9562820C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000574648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.847{E1BD9FC2-8178-609D-3E51-00000000BB01}27923152C:\Windows\system32\conhost.exe{E1BD9FC2-8178-609D-3B51-00000000BB01}3196C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3F51-00000000BB01}956C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.831{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0212A015D73B690985759D6FF5FBB0B8,SHA256=B2753636DD37BEAA7E8B41B379A6A676BBD8201B8D3CB6395039FF88F59CED9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121324C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3F51-00000000BB01}956C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3F51-00000000BB01}956C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.793{E1BD9FC2-8178-609D-3F51-00000000BB01}956C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000574627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.784{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2B5380FF1A2A804F3E25F7D341DE7C9,SHA256=4AAE9EC2C5D1E90E95EDBA0F94D2357D73C058846EAE317DA3FC1FE57CCB1068,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.753{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3D51-00000000BB01}2504C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.753{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3E51-00000000BB01}2792C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 18141800x8000000000000000574620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:52.753{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 10341000x8000000000000000574619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.737{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD0914E1C1C357EEC4825D6010E4751,SHA256=239FD70220F766EF34FAAE0C6FB1F1E3C0E38C541A32C066482FC6DBD049F887,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.722{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3D51-00000000BB01}2504C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.722{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3D51-00000000BB01}2504C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+82744|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3B51-00000000BB01}3196C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 18141800x8000000000000000574603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:52.706{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 10341000x8000000000000000574602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122500C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3B51-00000000BB01}3196C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0A00-00000000BB01}6203900C:\Windows\system32\services.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620936C:\Windows\system32\services.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.697{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000574592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1700-00000000BB01}1308C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620836C:\Windows\system32\services.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0A00-00000000BB01}6203900C:\Windows\system32\services.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.690{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB02AE17DAF99C4C9C0D9DAE318286FF,SHA256=0609CAD6D71E1FFEA57D788FE9C05CB4749F32A69634C54C57762B786DD90EF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x8000000000000000574557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\FailureActionsBinary Data 13241300x8000000000000000574556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\Security\SecurityBinary Data 13241300x8000000000000000574555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\DisplayNameWindows Push Notifications User Service_29251e7 13241300x8000000000000000574554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000574553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000574552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\StartDWORD (0x00000003) 13241300x8000000000000000574551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_29251e7\TypeDWORD (0x000000e0) 13241300x8000000000000000574550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x8000000000000000574549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\FailureActionsBinary Data 13241300x8000000000000000574548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\Security\SecurityBinary Data 10341000x8000000000000000574547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\DisplayNameUser Data Access_29251e7 13241300x8000000000000000574545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000574544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\ErrorControlDWORD (0x00000000) 10341000x8000000000000000574543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\StartDWORD (0x00000003) 13241300x8000000000000000574541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_29251e7\TypeDWORD (0x000000e0) 10341000x8000000000000000574540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000574539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:52.675{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 13241300x8000000000000000574538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x8000000000000000574537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\FailureActionsBinary Data 13241300x8000000000000000574536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.675{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\Security\SecurityBinary Data 10341000x8000000000000000574535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\DisplayNameUser Data Storage_29251e7 13241300x8000000000000000574533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000574532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000574531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\StartDWORD (0x00000003) 13241300x8000000000000000574530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_29251e7\TypeDWORD (0x000000e0) 13241300x8000000000000000574529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x8000000000000000574528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\FailureActionsBinary Data 13241300x8000000000000000574527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\Security\SecurityBinary Data 13241300x8000000000000000574526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\DisplayNameContact Data_29251e7 13241300x8000000000000000574525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000574524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\ErrorControlDWORD (0x00000000) 13241300x8000000000000000574523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\StartDWORD (0x00000003) 13241300x8000000000000000574522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_29251e7\TypeDWORD (0x000000e0) 13241300x8000000000000000574521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x8000000000000000574520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\FailureActionsBinary Data 13241300x8000000000000000574519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\Security\SecurityBinary Data 10341000x8000000000000000574518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\DisplayNameSync Host_29251e7 13241300x8000000000000000574516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000574515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\ErrorControlDWORD (0x00000000) 10341000x8000000000000000574514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\StartDWORD (0x00000002) 13241300x8000000000000000574512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_29251e7\TypeDWORD (0x000000e0) 13241300x8000000000000000574511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x8000000000000000574510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\FailureActionsBinary Data 13241300x8000000000000000574509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\Security\SecurityBinary Data 10341000x8000000000000000574508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2BA-609A-1600-00000000BB01}12122500C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\DisplayNameCDPUserSvc_29251e7 13241300x8000000000000000574505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x8000000000000000574504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\ErrorControlDWORD (0x00000001) 13241300x8000000000000000574503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1031,T1050SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\StartDWORD (0x00000002) 13241300x8000000000000000574502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_29251e7\TypeDWORD (0x000000e0) 10341000x8000000000000000574501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000574486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:52.628{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920\TSVCPIPE-88aa4906-771f-4694-8750-ccd2472df030C:\Windows\System32\svchost.exe 10341000x8000000000000000574485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.597{E1BD9FC2-8178-609D-3751-00000000BB01}33282760C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000574483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.597{E1BD9FC2-8178-609D-3751-00000000BB01}33282760C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000574482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C7DBB7F657EC675AF8BE822288487C,SHA256=C981B5A7F2CEE05BEFAFDEB31B0B735CC5B4E7BD646C3E54D214EA8121355FEC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.534{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2BA-609A-0F00-00000000BB01}9203660C:\Windows\System32\svchost.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x8000000000000000574457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8911AFAD1D970A273206807F77B77312,SHA256=FC51158DFCDE281159F0E97CA9596F56C0C76BFB79F0B45B9E28560F9F3A8E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.503{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3096DABD63D7420442B839196A15DD,SHA256=5D92450818CC726844B57A134FBFE3E29805A7B7E6B6311CA4889BDA2CBD5D2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8177ECFF22976644F33FA11483CACAB,SHA256=0FEB1729B989F7ABA4A1FF92373776B70B6B90B2CD08C8E59D3FF394B3B53F51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121324C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000574363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.456{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839F47D3D83FE9079EF1F064699E5581,SHA256=849E918A7E1B468A1BEC4B2FEEB4FFD78D3EF95BD349C5BE379F180798391957,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2BA-609A-1900-00000000BB01}19201756C:\Windows\System32\spoolsv.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b0d3|C:\Windows\System32\spoolsv.exe+1af39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a27b|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1900-00000000BB01}1920C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1900-00000000BB01}1920C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1900-00000000BB01}1920C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.253{E1BD9FC2-8177-609D-3251-00000000BB01}2812NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\{17A6A947-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.dbMD5=F3DC4461F59519C68ABD86B979EA9762,SHA256=5896967D61C1C716C98511DCFC267A12749D330E5DEB35ECCB4690DFA756C964,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.237{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3451-00000000BB01}3596C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.222{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8178-609D-3451-00000000BB01}3596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8178-609D-3451-00000000BB01}3596C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.206{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281644C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+1794e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.175{E1BD9FC2-8177-609D-3251-00000000BB01}2812NT AUTHORITY\SYSTEMC:\Windows\system32\LogonUI.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.binMD5=E871053170AD09568882637D049295DC,SHA256=CEA9EABB0B46AC602CDC3FB6FE6215981F2D7C0C6A5C5023CE72860232DBE12B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.159{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-0F00-00000000BB01}920C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000574269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926CDC9C162281B947CCFE9E188230FB,SHA256=C442C96FB3D36F044BF66C62E71CD90ABC9B70CF5F7E157A47C3A9409B3266DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-05-13 19:43:52.034{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\1\FriendlyNameMicrosoft Passport Container Enumeration Bus 13241300x8000000000000000574241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:43:52.034{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0003\DriverVersion10.0.14393.0 13241300x8000000000000000574240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-05-13 19:43:52.034{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Enum\SWD\ScDeviceEnumBus\0\FriendlyNameSmart Card Device Enumeration Bus 13241300x8000000000000000574239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:43:52.034{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemHKLM\System\CurrentControlSet\Control\Class\{62f9c741-b25a-46ce-b54c-9bccce08b6f2}\0002\DriverVersion10.0.14393.0 10341000x8000000000000000574238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CD5595D32BEC44E01E466617552FC48E,SHA256=7F7837D6535C424FB78B30D4A40CB0F22E765273FC2917E9A157137F27527173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F177A22EA7326A1B1251EAE3829AD43,SHA256=230C19E30BE84E7610FE34B54E6D7F96FE4DDE8EFD3BED334BCCD8561393EF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CD5595D32BEC44E01E466617552FC48E,SHA256=7F7837D6535C424FB78B30D4A40CB0F22E765273FC2917E9A157137F27527173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2BA-609A-1400-00000000BB01}3882052C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D4BF469587FAACEA227339B31C1BB287,SHA256=EB916CFCABE9BD0B6C9D825FEA2C10046BE299B7D7010DB78E759E41CAD63DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2BA-609A-0F00-00000000BB01}9203660C:\Windows\System32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3251-00000000BB01}2812C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.bakMD5=840DF767CAC9367CBBFD774EF011EAF3,SHA256=B2BAC5F3DE47D5C7ACDC0F8AFC4FFD4740260880C0A0CF4E4383495AB1AA98DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAB05.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAB05.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000574825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:53.972{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214F9-0000-0000-C000-000000000046} 0xFFFFBinary Data 354300x8000000000000000574824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.904{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-681.attackrange.local52507-false10.0.1.14ip-10-0-1-14.us-west-2.compute.internal389- 354300x8000000000000000574823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:51.198{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52874-false20.54.89.106-443https 10341000x8000000000000000574822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.878{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4CC9CADFA65F216B52BADF678E98F1,SHA256=7A6E7A6213F953CE7467B302CB3050F61F3C03F85EF7775F46E68B2302587606,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.878{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00CFE501CC03316FD8F9B3FF2129A5E7,SHA256=F96DFBA6E3CA2F5B078A89E1DC0E64161375522447B2E7C3389309E85FF3EE58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.815{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.815{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.815{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAA48.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.815{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAA48.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.800{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAA38.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.800{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAA38.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.784{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.728{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3C4A0C9E6947B086008406FED930DA,SHA256=F667D77A9067FF0A0C60F8CA5C274A30B9A931A0E52C65ADA49F0DB42FB8B382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.784{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.784{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.784{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\system32\RunDll32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIA9F8.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.753{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.753{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.753{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\system32\RunDll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.753{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\system32\RunDll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.753{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.753{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.737{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.737{E1BD9FC2-8179-609D-4651-00000000BB01}19884072C:\Windows\System32\ie4uinit.exe{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+176c|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.750{E1BD9FC2-8179-609D-4851-00000000BB01}2600C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402MediumMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 10341000x8000000000000000574789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.737{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.737{E1BD9FC2-8179-609D-4651-00000000BB01}19884072C:\Windows\System32\ie4uinit.exe{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\system32\RunDll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+1845f|C:\Windows\system32\migration\WininetPlugin.dll+2b25|C:\Windows\system32\migration\WininetPlugin.dll+1e44|C:\Windows\system32\migration\WininetPlugin.dll+1743|C:\Windows\System32\ie4uinit.exe+2b3c|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.747{E1BD9FC2-8179-609D-4751-00000000BB01}700C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402LowMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exeC:\Windows\System32\ie4uinit.exe -ClearIconCache 23542300x8000000000000000574786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.722{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIA9F8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.722{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIA9E7.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.722{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIA9E7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.706{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIA9D7.tmpMD5=DD4F5026AA316D4AEC4A9D789E63E67B,SHA256=8D7E6CEE70D6035C066B93143461D5F636E144373F5C46BC10A8935D306E0737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.706{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIA9D7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.690{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000574780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.690{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000574779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.690{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.690{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.675{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.675{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.659{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F317A3A8095EB7D22992DAFEB270C9C,SHA256=BD7F995546D35322D49D5851B25A31E166074469D98A1737B197873B87A9ADF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-8179-609D-4451-00000000BB01}32161568C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.643{E1BD9FC2-8179-609D-4551-00000000BB01}37723700C:\Windows\System32\ie4uinit.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ie4uinit.exe+2d19|C:\Windows\System32\ie4uinit.exe+33b8|C:\Windows\System32\ie4uinit.exe+245e7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.652{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXEC:\Windows\System32\ie4uinit.exe -ClearIconCacheC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe"C:\Windows\System32\ie4uinit.exe" -UserConfig 10341000x8000000000000000574765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.612{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.612{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.581{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.581{E1BD9FC2-8179-609D-4251-00000000BB01}39324084C:\Windows\Explorer.EXE{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+551e34|C:\Windows\System32\SHELL32.dll+551890|C:\Windows\System32\SHELL32.dll+551a04|C:\Windows\System32\SHELL32.dll+1cc59b|C:\Windows\System32\SHELL32.dll+1cc456|C:\Windows\System32\SHELL32.dll+ae621 23542300x8000000000000000676360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.612{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DECD7D578C69CC1B00024FE2D84AA270,SHA256=A4491E6CC18141E788AA81BB6688E56471F0A798CB2DFF5B54DB9029F830DA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.281{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B33A00C97AA28F16608BDDF410358B4A,SHA256=2F3111842EA726EE29B9DE46CB508055A4AABD614907E8F96EA4527CEE002E09,IMPHASH=00000000000000000000000000000000falsetrue 154100x8000000000000000574757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.585{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exe11.00.14393.2999 (rs1_release_inmarket.190520-1518)IE Per-User Initialization UtilityInternet ExplorerMicrosoft CorporationIE4UINIT.EXE"C:\Windows\System32\ie4uinit.exe" -UserConfigC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=8450580ADC40581006B7233F2B2803EB,SHA256=DD7FE0DBD6BD3B66437C093B707D1B2CA8AC72E4671B88829A4327FA6B8A00BD,IMPHASH=A9F54FA8B3C0ECA158788E684C66CA9A{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000574756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.518{E1BD9FC2-D2B9-609A-0A00-00000000BB01}6203900C:\Windows\system32\services.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.518{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.518{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.518{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.518{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620936C:\Windows\system32\services.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.503{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.503{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.503{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}17601888C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}17601888C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}17601888C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000574741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}17601888C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000574740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}17601888C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}17601888C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.487{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000574735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.472{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000574734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.472{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.472{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000574731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.456{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.440{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EA630058E2E97D06AC2E90115197CB,SHA256=A1167FBE4DEBD562E2B537DF1777FA14B16C76D9CC502DBF8F7D5CCDC1FF0CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0A00-00000000BB01}6203900C:\Windows\system32\services.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.425{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620936C:\Windows\system32\services.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.416{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k AppReadinessC:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x8000000000000000574721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.409{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.409{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-D2B9-609A-0A00-00000000BB01}620C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.393{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.393{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.347{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.347{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.331{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer\ExplorerStartupLog.etlMD5=184FA94EBB57B2609A3F5C014A01CC0D,SHA256=DCB008A7EA59EDDC58DF5FA0C952752415AF5C8017DE4535C9DE1683B1A386D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3351-00000000BB01}2624C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.128{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.128{E1BD9FC2-8179-609D-4151-00000000BB01}299296C:\Windows\system32\userinit.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.082{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 23542300x8000000000000000574702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.065{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8D47D2CD41CB76936664501EB93D558,SHA256=39010016108D6D9D867E58326C6A6BFDEA59B08F7E87DB65C95746D0B9944DD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.065{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.065{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=841DAB651D5A9B653C7424C9FDE37CE5,SHA256=22045D4B0180F9FF1D78C1085C9CFB217D45FFB7DC94F81B2CAE84E1CE91F871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8195442B75222B2AC4B221B53631200C,SHA256=520764B338D8237A05E3423CD6F2F057CD49EE08FD964A689F26E109A416A01F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-8176-609D-3051-00000000BB01}38921964C:\Windows\system32\winlogon.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000574691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.056{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{E1BD9FC2-8176-609D-3051-00000000BB01}3892C:\Windows\System32\winlogon.exewinlogon.exe 23542300x8000000000000000574690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F0F70B7BC62CF2232BE7CDEE2408F596,SHA256=BC7BD81DA865E2C270F0FEF4894F042ABE9C15A4615F8D219FEAAE0FF8CE03BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.003{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2116091696AA1799A61A6C1B944F6C45,SHA256=2CEE80BA75ED31358A7F70CE79EFD8C3F9B303BEEF64E1A1554AA4D5209002B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=83CDB65FC5E3B9880848CA153945CD99,SHA256=E2E2AC74937053440DD9592C7CC1619F3290A042838C9922D69E1B5BFF985B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=94E8C0A2D77D4C6A4CC2AA5D6D71B3FC,SHA256=F0E0AA4CBFFAC78A340ADD726D7D94A090CE6D8E6DEFBC9673531B4E5053B05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=3F65ED27EE681BC5D4F69A5C271DB6A1,SHA256=63828079B72050681B6811C4AA76A79CF8FB5F51E04B1596DBD761007BFC829E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=006B1BF929F2A82B7AD00727A9F1623C,SHA256=A9F72540A0C0F03453F87AC641EB31BF401D6BE7A92F4615E9C49C7725BC3427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=203D482240E2A13DE24F8F82A9037348,SHA256=5B64FA6B42BE7F59D4D48C4C85ED73B9311003133E8F02F04AE6FA198CD81ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\appcache[1].manMD5=5F027173844AA0ED63AE4AC12D3B615C,SHA256=72ADFCEA238F8F0B956A60BED2C609F825973CA4D52B5D92E3D41C51E15B40DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.972{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD00CF932E74D2F01F3DA025790CFB,SHA256=BC0E44D22BE1557A9A000EC4417BA6F9E8A31F1691186D75B43F06653D68EED1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000575232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.480{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52875-false151.139.128.14-80http 10341000x8000000000000000575231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.956{E1BD9FC2-8178-609D-3751-00000000BB01}33282644C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000575230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.956{E1BD9FC2-8178-609D-3751-00000000BB01}33282644C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000575229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC55AEBDF7E2F3BACC337CF9C6F30F67,SHA256=5CFC25CBCC1DFF085D1F01F472A8683BA3FDD2FF64C498D824C5B1476F4AF0EF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.925{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-4|C=S-1-15-3-15993189-1149757597-3280441496-4094800555|C=S-1-15-3-139472938-1339732804-1469114779-4031155563|C=S-1-15-3-1849407097-1086866290-155560606-3624675039|C=S-1-15-3-2015030808-1290041139-4103196845-2461361948|C=S-1-15-3-2973957182-1175190094-721927306-1883016034|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|M=microsoft.windows.shellexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|D=C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy| 13241300x8000000000000000575227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.909{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{97350C09-CFB6-4AA3-A5FF-1320386A4FB3}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000575226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.909{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8309AB81-22C0-42A1-B1C2-0E7DB33FE286}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x8000000000000000575225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.909{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{A9236506-594D-4B05-A248-0C6ED2AA24E5}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 13241300x8000000000000000575224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.909{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{BFACDC7E-4034-4888-BE2A-BABA510FCFD1}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|Desc=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-155514346-2573954481-755741238-1654018636-1233331829-3075935687-2861478708|EmbedCtxt=@{Microsoft.Windows.ShellExperienceHost_10.0.14393.2068_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}| 10341000x8000000000000000575223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Header.binMD5=2477E1067EE108D32AA262307A357732,SHA256=C1A0FD9DA6CCA70C5D69C4E62FBDC08EBABCEAB018611E869B6F78EBABE9E640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\TileCache_100_0_Data.binMD5=1454E96AC56B9536AB32CCA75F5E5D45,SHA256=9568E2708BEE9FE90D3D981F9D52415DED574A95BF9525EEE961A2467C9F5325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=08D33FDECF9DFDB3AAA55E46F4DDF872,SHA256=8890B44AAD4579F4798FAE71AF174F6AA9BF78A2556F77174D8B4E457E600EBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=134B2FB2E7188ED9BB83131C1F4907FC,SHA256=1D1EC260A84B289FDCEA6A538DE14870922F2FEDE4B45E10E138F239A8353562,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\855533271\3923659455.priMD5=2D61605026CA74ED5301578606464552,SHA256=84019A9745D574D378277A1084C237265451F0C45196348372A715711610EB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.862{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\AC\Microsoft\Windows\3339743440\902793749.priMD5=98C999EAE532EE8FCB19ED482C1C0B6B,SHA256=081F850F71892C895B1808104D3C2B5293448F0F6B9E5003FD1D69DF5BD8E8B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.dbMD5=A7F8296CDC5152AB7651B283020EEE4F,SHA256=8A553E97AE3298F7478DF69DF7F5AB092CA144143ED387C935A84306F41DBCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD3178139EFFFDFDF07F58F2A7E612EF,SHA256=9777D690A71759FA9B38FA43F5C0E35079203460D94CE1C2E9DF17F841EA6E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.847{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.800{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4E51-00000000BB01}1876C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.800{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4E51-00000000BB01}1876C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.784{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1876C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000575179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.784{E1BD9FC2-8179-609D-4251-00000000BB01}39324084C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}1876C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+551e34|C:\Windows\System32\SHELL32.dll+551890|C:\Windows\System32\SHELL32.dll+551a04|C:\Windows\System32\SHELL32.dll+1cc59b|C:\Windows\System32\SHELL32.dll+30b2d|C:\Windows\System32\SHELL32.dll+ae621 154100x8000000000000000575178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.785{E1BD9FC2-817A-609D-4E51-00000000BB01}1876C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenUserC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 13241300x8000000000000000575177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.753{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809DWORD (0x00000000) 13241300x8000000000000000575176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.753{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1206DWORD (0x00000003) 23542300x8000000000000000575175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.753{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C196432F275468CA8AF376A07CAD12E,SHA256=2E2A340BF8C4CEFA2431D3843EB6A9F2900EA0DC5A65E14BAB3487E83CE009D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.753{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIADF3.tmpMD5=A828B8C496779BDB61FCE06BA0D57C39,SHA256=C952F470A428D5D61ED52FB05C0143258687081E1AD13CFE6FF58037B375364D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIADF3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.737{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIADD2.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.722{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500DWORD (0x00000000) 10341000x8000000000000000575152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.706{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIADD2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.706{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIADB2.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.690{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIADB2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.690{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.690{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAD73.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.643{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\ImmersiveControlPanel\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.612{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAD73.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.612{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAD62.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.612{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\windows.immersivecontrolpanel_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAD62.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.581{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAD42.tmpMD5=3006752A2BCFEDA0F75D551EA656B2EF,SHA256=DFD64231860C732DCED3DC78627A7844A08D5D3E4CD253FD81186BAE33CC368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.581{E1BD9FC2-817A-609D-4D51-00000000BB01}2812WIN-HOST-681\AdministratorC:\Windows\System32\rundll32.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RGIAD42.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.565{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.550{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406F8235826CAEB501C82F90C35AADEE,SHA256=46F2D55E9DF099C587A43318472C94D1AFCCB58D10A248AAB0EDB3E2519A5E19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.534{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000575085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324084C:\Windows\Explorer.EXE{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+551e34|C:\Windows\System32\SHELL32.dll+551890|C:\Windows\System32\SHELL32.dll+551a04|C:\Windows\System32\SHELL32.dll+1cc59b|C:\Windows\System32\SHELL32.dll+30b2d|C:\Windows\System32\SHELL32.dll+ae621 154100x8000000000000000575084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.541{E1BD9FC2-817A-609D-4D51-00000000BB01}2812C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXE"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iesetup.dll",IEHardenAdminC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000575083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.534{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.518{E1BD9FC2-8179-609D-4451-00000000BB01}32161568C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000575081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnk2021-05-11 18:12:43.991 23542300x8000000000000000575080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Downloads.lnkMD5=859920D477EE7ED0174243DFF586E5E3,SHA256=1F8B2760E210762D02665D55224973A3EE73E43B7E0F5398AF35E86861B7CB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396088B4916F1201AB2CAEED62A0DFB2,SHA256=96C7384C472F9CC0CC2524DC882079EB1A86E57B8D42F8910E404C4CF608DE7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000575064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnk2021-05-11 18:12:43.991 23542300x8000000000000000575063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\Links\Desktop.lnkMD5=D5CF13D810C697DFC19F42E6D44FE391,SHA256=CDE1DBC52A9ED24304BE4A6EB10EBDD3C80F7016F136519CA3504F04539988E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.472{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.440{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.440{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000575034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000575033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-8179-609D-4451-00000000BB01}32161272C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+21b54|C:\Windows\System32\AppXDeploymentExtensions.desktop.dll+2a21d|c:\windows\system32\appxdeploymentserver.dll+157fbf|c:\windows\system32\appxdeploymentserver.dll+ae504|c:\windows\system32\appxdeploymentserver.dll+92924|c:\windows\system32\appxdeploymentserver.dll+19e0c|c:\windows\system32\appxdeploymentserver.dll+2bffd|c:\windows\system32\appxdeploymentserver.dll+2bdf9|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000575032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.430{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefreshC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx 10341000x8000000000000000575031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.425{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.425{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|B=C:\Windows\system32\wwahost.exe|M=microsoft.windows.cloudexperiencehost_cw5n1h2txyewy|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\|PFN=Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy| 10341000x8000000000000000575016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFa7aac96.TMPMD5=A7289AEC53014AE8FD86561193817755,SHA256=BB409A27BE4330D6871D718D2903084C17D60F648169696D30AAEB3FA4056859,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{09B4F2BC-CE01-4109-A1FB-9B60A5611944}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000575008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{788AA679-C2E3-44D1-B74C-4CCD0FFEC4D0}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000575007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{820984C5-54C0-4A04-8983-77BFF3B137D4}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x8000000000000000575006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{F5731C9F-04C3-4AC8-A85F-0A669E121E0B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 13241300x8000000000000000575005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C8E9103A-BBFC-424E-974F-6621978D88BB}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Security=Authenticate| 23542300x8000000000000000575004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA06C965319BFAD8B2528562CB632CE,SHA256=039D440A1618EE516F3360F9D22F66F41C6BF973CA5B0D30200B43F962FF3F34,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{702039F4-3987-4FB0-8411-241E40FC2F5A}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x8000000000000000575002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{ED012554-F7CB-4EC3-B2D7-29C67DA53BE6}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 13241300x8000000000000000575001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{97F5F3F8-5015-4896-9689-0B3B89E39B00}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 23542300x8000000000000000575000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.409{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000574999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.409{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B9FE93AE-282A-487A-8C86-3A6192FF4E1A}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|Desc=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2434737943-167758768-3180539153-984336765-1107280622-3591121930-2677285773|EmbedCtxt=@{Microsoft.Windows.CloudExperienceHost_10.0.14393.1066_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.CloudExperienceHost/resources/appDescription}| 23542300x8000000000000000574998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.378{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000574997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.378{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-3|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|M=microsoft.aad.brokerplugin_cw5n1h2txyewy|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|D=C:\Windows\SystemApps\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\|PFN=Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 23542300x8000000000000000574996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.378{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFa7aac77.TMPMD5=726A187B21EA2DC0EBAECC62786BA773,SHA256=9863BE69F84864F3A67543D37381FE238CB0A21A7064D76EDD071F09261A3C99,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000574995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.378{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{7AB67A3A-1630-411A-A3C3-57E9C5531461}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000574994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.378{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{DD94B618-C0A2-4373-AE4D-BD8045860C7D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000574993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{65B7B66A-6044-48B8-A1ED-F02014129F4F}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x8000000000000000574992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{BFF80442-6FF0-446C-AEA6-CB930E43DDBA}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x8000000000000000574991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{929645D8-28D6-4CD8-AFB1-9AB9657D0928}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Security=Authenticate| 13241300x8000000000000000574990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{7856FABC-A4E2-4520-A6D9-BF6C5C511C63}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x8000000000000000574989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{1D17CE99-2353-466C-BC97-6DE91B1D3B5A}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x8000000000000000574988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C70A5639-EE7D-4130-8966-81C058686712}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 13241300x8000000000000000574987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{E80BF732-7F0D-446F-8E59-C7835D16C3C7}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|Desc=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272|EmbedCtxt=@{Microsoft.AAD.BrokerPlugin_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.AAD.BrokerPlugin/resources/PackageDisplayName}| 10341000x8000000000000000574986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.362{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.362{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.362{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.362{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.362{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.362{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FEC9A2C6455311212B788F150E1B96,SHA256=034ECE422CBE5461ADED2D078C8BBB4124003442FCD188DC32F4113B1D9281AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.347{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.331{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFa7aac57.TMPMD5=F1A00308FD32FC41CB0EC5544436AA41,SHA256=FAA871E3475CDBAA69BF6D2A514CC02F86A13D3305E38532A5A77770768B7A78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000676379Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.031{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53451- 354300x8000000000000000676378Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.688{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60409- 354300x8000000000000000676377Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.618{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54080- 354300x8000000000000000676376Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.440{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51286-false10.0.1.12-8000- 354300x8000000000000000676375Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.251{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58918- 354300x8000000000000000676374Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.121{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal60488- 354300x8000000000000000676373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:53.088{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51133- 354300x8000000000000000676372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:52.524{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local389-false10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52507- 23542300x8000000000000000676371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.748{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB5257FC025B947D267B1BD6A8EAD74C,SHA256=52C4D6DD15F29AB1FB5C7E9691CC2132E4E14A8F6E7AE65B5FEB833E70A327B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RFa7aac38.TMPMD5=6163018A9059420DF7DA0DB8522C7F7C,SHA256=1D0B18E044F36C8FB2426F97ED334F36BEDAD682379F4EA359C2DE7407F55211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.300{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E45206F1BB52F065C3713D67B2DC2A51,SHA256=0C5A4E7F6DE3FBADB8FF0A0622A3C03961A11B2BAF062FFF3808801C3B1189B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.284{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.284{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.284{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms~RFa7aac19.TMPMD5=CE4EA1958BD7A54E6FFE7BD3A599A642,SHA256=6672E28A3AD07202118B42BBAC559D6A65AF8B3829B7AEB2F18B3EB70027DEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.284{E1BD9FC2-8179-609D-4451-00000000BB01}32161568C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.284{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.268{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms~RFa7aac09.TMPMD5=595763DFD2DAB977091A843EBCF1164F,SHA256=C7A2B95661E15C18F8407CD81FBDE33356781C26DF3C60ED914AC534D35CEF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000574922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms~RFa7aac09.TMPMD5=DADFF5A5756573645ADC5785A8099647,SHA256=CCF4C19E821EBC9A362A58A3B6CCC2B03674297D1777C6036A83EDF672C16A11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.253{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms~RFa7aabfa.TMPMD5=D252F6F15CAEDF365FE2BA1989DBE20F,SHA256=82FB3B41C3D72F27391B1D27B42C99932F26CF5C6E817B65AF5AAD293BC24ACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.190{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.190{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4B51-00000000BB01}772C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.190{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-817A-609D-4B51-00000000BB01}772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.190{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4B51-00000000BB01}772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.190{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4A51-00000000BB01}3448C:\Windows\System32\unregmp2.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.190{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817A-609D-4A51-00000000BB01}3448C:\Windows\System32\unregmp2.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AEFE2D266D073F8D28A3E651BED38A5A,SHA256=3933CFF1BFBD57CA1892B33A288D9C25BA5C2E8D86DB43DD25C2771D05330618,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.175{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.175{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.175{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.175{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.159{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3448C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000574877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.159{E1BD9FC2-8179-609D-4251-00000000BB01}39324084C:\Windows\Explorer.EXE{00000000-0000-0000-0000-000000000000}3448C:\Windows\System32\unregmp2.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+551e34|C:\Windows\System32\SHELL32.dll+551890|C:\Windows\System32\SHELL32.dll+551a04|C:\Windows\System32\SHELL32.dll+1cc59b|C:\Windows\System32\SHELL32.dll+30b2d|C:\Windows\System32\SHELL32.dll+ae621 154100x8000000000000000574876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.163{E1BD9FC2-817A-609D-4A51-00000000BB01}3448C:\Windows\System32\unregmp2.exe12.0.14393.4169 (rs1_release.210107-1130)Microsoft Windows Media Player Setup UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationunregmp2.exe"C:\Windows\System32\unregmp2.exe" /FirstLogonC:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=0AFAF8B10C3D2B009DED280C875EA3EA,SHA256=CFC5A8170AF2CCB8F846BA738E5173596A4C35C023BCE5E6EB04E07779283188,IMPHASH=DFC94E57160B0CE8835243B5D92F3D9E{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 13241300x8000000000000000574875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.159{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\PolicyVersionDWORD (0x0000021a) 13241300x8000000000000000574874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.159{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-3845273463-1331427702-1186551195-1148109977|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|M=microsoft.bioenrollment_cw5n1h2txyewy|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.BioEnrollment_cw5n1h2txyewy\|PFN=Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy| 10341000x8000000000000000574873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000574871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.128{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C98D5019-842A-4BE2-A40F-766795FC9D7D}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 13241300x8000000000000000574870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:54.128{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{AEA0B87C-A46E-404D-87D9-DFC83861F99A}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|Desc=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-19479607-1015771884-3827151630-3301822711-2267158487-4079414233-1230461222|EmbedCtxt=@{Microsoft.BioEnrollment_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.BioEnrollment/Resources/AppDisplayName}| 23542300x8000000000000000574869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.128{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D566EE44FDCA6CB26073E94FFF39EC0,SHA256=14E629E2DA7262FAE715CC04648B53B30CD7944A79591370786FC08314981BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.097{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+74a3|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C2FDC31FBF492A1611734FA573F2EDF9,SHA256=2EFDBF814AAC6663E16E1F69F2C517B2C44602FD2163B185FA3AF8F4E09BCD60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.081{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.081{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58EDFFE118CBDD458DBACF0059A696CA,SHA256=546EF339A478C0A519E9FD5E478C9A3915DD95F0E08A0C9C0A3C28AA5BB0B096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000574840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.018{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\Favorites\Bing.urlMD5=5D42DDDDA9951546C9D43F0062C94D39,SHA256=E0C0A5A360482B5C5DED8FAD5706C4C66F215F527851AD87B31380EF6060696E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000574832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-8179-609D-4551-00000000BB01}3772C:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txt2021-05-11 18:12:45.978 23542300x8000000000000000574831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-8179-609D-4551-00000000BB01}3772WIN-HOST-681\AdministratorC:\Windows\System32\ie4uinit.exeC:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\brndlog.txtMD5=9902BAEDC06FA4A8681E696EE6C73C06,SHA256=D0628FA63102EE74053BC6EFDD297AED794848F5DC300DAA7E391F4CF04E8511,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000574830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000574829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.987{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=21C685FF3FF462E2DCC7D2828166C491,SHA256=A128D62C1DEABFD701741B3A52B53741D776728ABE243330EEED4BAFF672BADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B40D1F9897095FAFDC7DDE2B8DFA6269,SHA256=439DAB6E72635D22669F1C850BB6A57A29707894387AAA416CA66E655728810A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6DB3C76D88964D7AD4FB0CCD5DA66F04,SHA256=0155A40E128A6D665742F93F231C492807D3FEC528182EABBB4B8621E7DF23D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B8341DF2133F8398A5480578163B7815,SHA256=D9DD2B73CA102E81F15FC3A7FB63B81C5A3CCE48FEC95A1CE33BCCBAB32CF3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=98C43F6AF742CF81FAD8A7A23E5B0E73,SHA256=461FDBFFB547D8D1DBB47507686C2550E8B8AFFC96485AB8C3130EFF519BDAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A63F533688F438F054842D759867EB07,SHA256=CD8003C8307BAB75ED5B7C8058E626B2AA26E14E244D8FB35886EA2E3FBBD0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1546671029718010E76C0832F4085F1A,SHA256=65E0122EB84DB56C300FE38D65C8031FEE2F1C9AB7DEEC0A4C5BEC79BF1F28E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.627{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4AB3336E609895B10F564C8ECB3D83DA,SHA256=191D8AC8A86159E9852AD0CDD31F79BCFF1F649C5300C5D05878B59A8E9AD82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.380{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C065527C2B1B48DB6D770C870A6CE112,SHA256=1DFCD5605564E63B1B95B12A90021C2EBE09CF464D2DFB21415431A7601AD45A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.972{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.972{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.956{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|M=microsoft.xboxgamecallableui_cw5n1h2txyewy|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|D=C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\|PFN=Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy| 10341000x8000000000000000575761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.940{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{1E9B7CB3-A9E6-4EA7-BA2F-824E1F395C8D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x8000000000000000575753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.940{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{3B2D97EF-8E02-4EAC-9A04-82790FB9C29E}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x8000000000000000575750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.940{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{5F2DCB8F-7762-4796-BB9D-1621570832B2}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x8000000000000000575745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.940{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6557DCF3-57F4-4DF3-8E45-591322E1D7D6}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|Desc=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-957941444-2271171641-4049211970-804197638-2225746618-2474488012-4131196493|EmbedCtxt=@{Microsoft.XboxGameCallableUI_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.XboxGameCallableUI/resources/PkgDisplayName}| 10341000x8000000000000000575743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.925{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.925{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.925{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|M=microsoft.windows.secondarytileexperience_cw5n1h2txyewy|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|D=C:\Windows\SystemApps\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\|PFN=Microsoft.Windows.SecondaryTileExperience_10.0.0.0_neutral__cw5n1h2txyewy| 13241300x8000000000000000575734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.925{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{15ACCC64-FFA3-4C12-BBB2-5DE1DBE020CE}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 13241300x8000000000000000575733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.925{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{59FFD63F-6DD6-423B-8631-B75837A3DE5D}v2.26|Action=Block|Active=TRUE|Dir=In|Name=SecondaryTileExperience|Desc=SecondaryTileExperience|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2572118008-3077471215-3128327636-2598586217-811314952-2132569887-2279274531|EmbedCtxt=SecondaryTileExperience| 10341000x8000000000000000575732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.SecondaryTileExperience_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.862{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.862{E1BD9FC2-8179-609D-4451-00000000BB01}32161568C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.862{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.847{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.831{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.815{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.800{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.800{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|M=microsoft.windows.assignedaccesslockapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy| 13241300x8000000000000000575616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.800{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{77AB14A3-A8B9-4B6B-8FA6-A736C6376C6C}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 13241300x8000000000000000575615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.800{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C368E939-25E6-471F-A76D-CA0EFC8A1FCB}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}|Desc=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2705751783-1496458293-2835996032-3143071717-1071345625-677459937-2760321769|EmbedCtxt=@{Microsoft.Windows.AssignedAccessLockApp_1000.14393.2068.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.AssignedAccessLockApp/Resources/PackageDisplayName}| 23542300x8000000000000000575614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.784{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.768{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.753{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|M=microsoft.windows.apprep.chxapp_cw5n1h2txyewy|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.0.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\|PFN=Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy| 10341000x8000000000000000575606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.753{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{6456EFC2-465A-46D9-AE99-189C467994B3}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 10341000x8000000000000000575601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.753{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{94521D8D-EABC-4B3E-99EA-E063168BCC2E}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 10341000x8000000000000000575595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.753{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{FA2EBE02-341B-4D56-B76C-E8260EBE1099}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 13241300x8000000000000000575591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.753{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{02B6A9F9-41A0-40EF-B089-1E786FD6CF12}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|Desc=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1255970798-2717750985-493741290-1721212560-3530798636-1829112236-3118580706|EmbedCtxt=@{Microsoft.Windows.Apprep.ChxApp_1000.14393.2969.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Apprep.ChxApp/resources/DisplayName}| 10341000x8000000000000000575590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.737{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.690{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.690{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.690{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.675{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.659{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.628{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|M=microsoft.lockapp_cw5n1h2txyewy|Name=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|D=C:\Windows\SystemApps\Microsoft.LockApp_cw5n1h2txyewy\|PFN=Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x8000000000000000575521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.628{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{71862BE7-0D59-42D5-B1DA-13A2AF9B6CAB}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000575520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.628{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{087E2872-95E0-4ACF-B724-E5B7D5AB4FCF}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x8000000000000000575519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.628{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B15FD4E1-887A-4046-A6B4-AD2206649F65}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 13241300x8000000000000000575518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.628{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4108C5E1-591D-4859-887F-C61873804176}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|Desc=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-2758101530-1321080646-1475665648-4066602542-2880396197-3643791541-2654759312|EmbedCtxt=@{Microsoft.LockApp_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp/resources/AppDisplayName}| 23542300x8000000000000000575517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.612{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.565{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.550{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.534{E1BD9FC2-8179-609D-4451-00000000BB01}32161568C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.503{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.487{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.472{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000575424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.037{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544pki.intel.com0type: 5 certificates.intel.com.edgesuite.net;type: 5 a243.d.akamai.net;::ffff:23.223.52.19;::ffff:23.223.52.80;C:\Windows\sysmon64.exe 22542200x8000000000000000575423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.678{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544ocsp.intel.com0type: 5 ocsp.comodoca.com;::ffff:151.139.128.14;C:\Windows\sysmon64.exe 13241300x8000000000000000575422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-9|C=S-1-15-3-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|M=microsoft.accountscontrol_cw5n1h2txyewy|Name=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.0_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|D=C:\Windows\SystemApps\Microsoft.AccountsControl_cw5n1h2txyewy\|PFN=Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy| 13241300x8000000000000000575421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{879944C4-0551-4864-9511-86107587DB0D}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000575420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{25945B7B-895D-4BE4-B94F-149B18FB1B99}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x8000000000000000575419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{4BDBDBDA-5B51-4A9E-B3C0-2B2167D64967}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 13241300x8000000000000000575418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.362{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{DD2CEBBA-98F2-4F73-8D8A-1DC662EB836E}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|Desc=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-969871995-3242822759-583047763-1618006129-3578262429-3647035748-2471858633|EmbedCtxt=@{Microsoft.AccountsControl_10.0.14393.2068_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}| 23542300x8000000000000000575417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.347{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000575416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.315{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742S-1-5-21-3056260599-3525860832-1735521891-500v2.26|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|C=S-1-15-3-1|C=S-1-15-3-2|C=S-1-15-3-3|C=S-1-15-3-4|C=S-1-15-3-6|C=S-1-15-3-8|C=S-1-15-3-9|C=S-1-15-3-787448254-1207972858-3558633622-1059886964|C=S-1-15-3-3215430884-1339816292-89257616-1145831019|C=S-1-15-3-3071617654-1314403908-1117750160-3581451107|C=S-1-15-3-593192589-1214558892-284007604-3553228420|C=S-1-15-3-3870101518-1154309966-1696731070-4111764952|C=S-1-15-3-2105443330-1210154068-4021178019-2481794518|C=S-1-15-3-2345035983-1170044712-735049875-2883010875|C=S-1-15-3-3633849274-1266774400-1199443125-2736873758|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2569730672-1095266119-53537203-1209375796|C=S-1-15-3-2452736844-1257488215-2818397580-3305426111|C=S-1-15-3-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|M=microsoft.windows.cortana_cw5n1h2txyewy|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|D=C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\|PFN=Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy| 10341000x8000000000000000575415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.315{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D9AD92C125144CB69D06E9A9762305,SHA256=DBFFAFD960E9F9621E0561DFF05E5182DB8618DF4F79F12860ED6CDC23D90CFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{EB30728D-75CD-48BC-BD69-93D08498F8D9}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ|Edge=TRUE| 13241300x8000000000000000575395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\{9BFD0E85-AAED-48E5-828A-2CB3F952FD4B}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Platform=2:6:2|Platform2=GTEQ| 13241300x8000000000000000575394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{602C16A7-DDEB-4C9A-8EF5-456D4E6E247A}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x8000000000000000575393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{36E775EB-0E01-4398-806E-1B1D041CDA3F}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntErnet|RA62=IntErnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-2)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 10341000x8000000000000000575392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{C6F13B19-CF9E-4A99-A17D-7413D7AC79F7}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 10341000x8000000000000000575387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.300{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000575384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{76994C2A-1FD3-4BE2-808E-849720950A3B}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Private|Profile=Public|RA42=RmtIntrAnet|RA62=RmtIntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Security=Authenticate| 13241300x8000000000000000575383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.300{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{78CE546C-26AF-4E0D-AD18-78E840EE6B90}v2.26|Action=Allow|Active=TRUE|Dir=Out|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x8000000000000000575382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.284{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{B434471E-7292-4AFA-BC8E-A6F4594065C7}v2.26|Action=Allow|Active=TRUE|Dir=In|Profile=Domain|Profile=Private|Profile=Public|RA42=IntrAnet|RA62=IntrAnet|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUAuth=O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x8000000000000000575381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.284{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{6D9BD017-2326-4F24-9E2B-D9AEAAAE6EB6}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 13241300x8000000000000000575380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:55.284{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{D2980135-AF18-4E99-A867-2AD002227AE9}v2.26|Action=Block|Active=TRUE|Dir=In|Name=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}|Desc=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/ProductDescription}|LUOwn=S-1-5-21-3056260599-3525860832-1735521891-500|AppPkgId=S-1-15-2-1861897761-1695161497-2927542615-642690995-327840285-2659745135-2630312742|EmbedCtxt=@{Microsoft.Windows.Cortana_1.7.0.14393_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.Cortana/resources/PackageDisplayName}| 23542300x8000000000000000575379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.284{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C34FB4CCFC1804FCACDD01B247B141F,SHA256=C95EC2A7C8AE90C7D3F915EBEDB9526254A866D9DE33DE8EC3A54FDE9D3B1D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG2MD5=F045C633B9340D27547D12EECC7EE0B9,SHA256=9D04CBA5F699DF1AD06BC5541F85917A856292F181493393EC89EBF2980A1B3B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.dat.LOG1MD5=CD0B1FDF28910E391492F4807B474473,SHA256=EF923067C3091E773EB086A786D5E2FCA53B01EE8CE0A2EEB6704C85935CD2F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\Settings\settings.datMD5=9C746CF42DB3B621537D8310CE3D4BE1,SHA256=52D93909D30105CE61FB14BD32AC9473BC627199AA83808B337F6D874CC46FDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.268{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420250026721327.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.253{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache131420249992652675.txtMD5=35CB8C19D2035D2165E1EFA7FA0ADF70,SHA256=5DCC967527060112D9824F3C852F5F1344613C12F2BEEAAF6D67A901E00B615F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.253{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingssynonyms.txtMD5=9239D33BCC9C55C4D97DCAE64A7E2F5B,SHA256=D147C9B76ACC226324DEF206D680C3368109018BE254FD1399C8E2ED2C3D77E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.253{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsglobals.txtMD5=D2D6B108ED635B192276F2E13160BB9F,SHA256=598A2674BE811C1256B0E18311CE5CBA2A542D0965FF4A0AC96173CE78A4C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.253{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settingsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.237{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.schemaMD5=AC68AC6BFFD26DBEA6B7DBD00A19A3DD,SHA256=D6BDEAA9BC0674AE9E8C43F2E9F68A2C7BB8575B3509685B481940FDA834E031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.237{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\settings.csgMD5=A97FD910ECCB1049B949DF2B6D0EA605,SHA256=B84B14439AD5607B15A96B922CD63EA6C8CB1281BF3B84037C5CE90FBEB29766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.237{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appssynonyms.txtMD5=E86D86E41327A21E2448076DD6C97A81,SHA256=A3DC890A9E3D99D3336455F0CFD94ACCAAD69242D0A1C8649AC82B8E1F8BB6FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.237{E1BD9FC2-8179-609D-4451-00000000BB01}32161568C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.237{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsglobals.txtMD5=5925E930562DA940101DE785C1CBC5B3,SHA256=B6C3C8B85CECB5743E5A62C706152F83606B5690F0926B5CC16D29CBFE3ED39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\appsconversions.txtMD5=F21F68AB0FD9BF5B4255EDDDE72BE816,SHA256=9034FBD5F370A37A2E43CAE5D482B84D3ED9B6C62C6DDBC4BEE25B0526AD25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.schemaMD5=1659677C45C49A78F33551DA43494005,SHA256=5AF0FC2A0B5CCECDC04E54B3C60F28E3FF5C7D4E1809C6D7C8469F0567C090BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{93e918b8-f239-44ba-b3fb-ad2d4b5024b9}\apps.csgMD5=FB7202F6D377FD89C7B261E34D680D33,SHA256=839D24F509CA8BF8737074BF42E83A88A32EE3760BD34BBA2A7CF6CF482A1C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.222{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{521a01b1-5b6c-41b6-ad58-79363f21599f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.indexMD5=D38A175DD3C786FE6065A00AD306D74F,SHA256=57D9784D2866D21A61FA5FB04373807EDCBF7FAF298A2894C482A6EA80D419FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.ftMD5=F256707B0901454854702BF58E4DEF0B,SHA256=2603EF3B568C277FF92E75593C0969A0E24291BBC9419080B77D567A53825ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\Apps.dataMD5=09924E1BACD1740F5906D89DD6905D99,SHA256=98C574D4894041260AB499048E2B5CB9F58A58AA42B5DDFAE9C44D2BEEA9023D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.206{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.190{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{1898f399-c028-4710-b40c-a5a12eaa891f}\0.0.filtertrie.intermediate.txtMD5=F975464F45E06A57B8FE3C4FFE644599,SHA256=41B65982C681DAFBA517CEA1878436C4FE1500C161A00B9A916661DB425D5FB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.190{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.190{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FEEDCB9B-F3C5-495B-A8D7-84F79D27D88E}MD5=9FCDA9AF0663B95421B2DF4DF2E1B9D4,SHA256=B3003B1A6220FA0F3390E2F297DFA4209C45C3D8FB9B55ABBA2507792720A89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.175{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{FE283CE6-7678-4BF6-BD45-D855B6683130}MD5=3E30C6D0FC6DB0EE27A19FCF25DF566B,SHA256=EA12C2CD052FE46441BCC9C4FB81D9D52C1FEE3AEE762C09EB2FE34D19B1D2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.175{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E79AFC5E-81E0-48C0-B2B8-B0755C4E824D}MD5=8571A37EA5341C6306283678D6D7B3F7,SHA256=DA51B889B504FE15B3526AA6A87A4A9843989F4EB6D32CFB205861A223030B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.175{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E46F3460-B4C6-40F2-9BF2-B4D9A4F6ED86}MD5=DB04268CDC55A7FE26A2F145F86BF875,SHA256=CFACBA24A15CFB163790F9C67CDB2B2CC82CE006B9E32AC8687DBFC7DB69B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E28967A0-A00F-44F4-BEB5-D1DC1F682F91}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{E1C5F6E0-5D96-4432-9C54-B630B005F17D}MD5=A220E6F69189C7C262EA46B8EE8E6FE4,SHA256=556020DC6EFBDBF8054FAEEE15519516CBF2B11904D5AF9E04D041D7480BCA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{DE7873BF-B56F-4465-AA14-AD810677CFF1}MD5=5E62597AD6E77746796E3B8571490D14,SHA256=45FB70B917C807BEFD513465866C4D27A4E869DA31182CDCF6D314DF224EB651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{D7779C65-D55A-4E6E-AB28-222AD101D61C}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{CAD3CFB0-7CDE-43F8-B95D-98E958A585B7}MD5=41ABD480C1392D97DF3ACFFE760D2804,SHA256=7BEF858DA7D8B87F8E4C7804731E91AF5618DF4838EFC2BE398F609078268479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{C5DABA0D-CF94-465F-9B6B-C598EE8CCEE8}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.159{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{BBD6B771-DF9C-48D4-99BF-77C177FAAD05}MD5=ED16924B1B7A952B1CB20D8515BEBB70,SHA256=6966D629DD24B6904DB8AA9C9F06197706E039848C15BE8FA738E4ED25F06B0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B69C64CD-23EC-43CB-8DAE-EB6560EAACC3}MD5=A461B8A48DB3B6C08E072140728A43C4,SHA256=21C57136A790877DA3640B5691C0F651D503D133B2B6936F5203BEE3F30A9565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B59BA0CB-7100-4018-A4F9-D539D5F4E058}MD5=DA594A38AD299ADA683372EBA5881CAD,SHA256=F0529ED98871CFB5607C993309D0A3DDB84CE36EC2E41897CB6BD8EB683711CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B4D06CEE-9D19-4A4D-B72A-396F2B566927}MD5=5F0A30B2DC6750BA2867B7BC006BD8FB,SHA256=9051D648449406B051B8A06D3372962529004EE159132D437E89AB6AEFA8A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B14CA865-C958-4580-9074-7E92964475FC}MD5=73252311BC2FB738EA33277A28F3596B,SHA256=7B6EA44D32065F717612C79F94114F9259C08D5465EBC007F16AEA92FD4D1CEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{B0DD03EF-8C20-43DB-BDD2-4CFAB623574E}MD5=74017CA605E121CBA7CF92459B8C5638,SHA256=A4B6642597D4E32EB8FAC89CB4450E226C3978F963BDBFE95ECCAA527F1E8EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{AD913853-B212-444B-9876-3E2C3A49A8EB}MD5=206A73951B8654BD2B70962A78C00BE1,SHA256=19DA4F01CBB9BFDD977E06AF58B95CEC1D4A027C776A178469251B5F0B9D9A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.143{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A5400422-73B1-4B93-91A9-72E697208472}MD5=00B94F495BD57E421FEF46D7A1EECF44,SHA256=3C1C7F8A819B758DAD75031F99AEF06C94B418FA2FC199F82BFAE815483E11C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{A4E61E50-3EF0-4DA6-8275-CD489D676DAB}MD5=2BA0F2705632CB30D7BCA6DF8D087F2D,SHA256=7E47070E9ED1DFB752DD755B918F943B0B231C0885F55DF05EE82470595E3022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9D07DE99-52F7-454A-8CE6-31DA9AA94ED8}MD5=9456CEECAC6A1245C482C3B82593846D,SHA256=963DE82340F63CFB27DFDD15CD5643FE93D6C0AADB0B96B7923F0E23815F10CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{98C2D61D-6107-43E9-BCD8-6EB83D77ADEF}MD5=60FFAC14CA2196E3D54342C4C45F7C2B,SHA256=9979DFF1E142B348644E5C7735FCD13D8871408DCF4E0913D9FD9A3EC8436C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{9485A429-81C2-4352-A24F-92682A765D4B}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8D75FAE0-23F9-47DE-A54A-C2427D45DCAC}MD5=DEAC14151C0C509293EEE44191D9CD8D,SHA256=A169AF78E7C013538AE66FC03A2B859A0D6D4F5D5F77BFF03415E9C25084B430,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{8AB7F553-0827-496F-B610-82D31E06AC96}MD5=A2C26EBC40D4625D952314673C6141E9,SHA256=902AC55382C57835ED2151549B7D12211436E67A63B3B0E44FB384A661228729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891D5E7A-7A57-4CBF-9089-443EE49B6103}MD5=911DEFC897CECC2D0C78E5B96D5D515B,SHA256=965BD9A6F5738140EB5A51EFBC44129112C25FC82825BA7F30113602A6E8C902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.128{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{891649DE-3DE4-49E5-90AC-0987EA95353B}MD5=05F75F6404996B3E39476104E78DF209,SHA256=1E4258113A2D151783ADB9D626D38E7F67CFAB9C79FE14B27E07170081D145C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{84B49252-6DEC-40A8-90BE-86AE577E1B23}MD5=55F95E08D08A7A3768F27800D9217B04,SHA256=37F9BC821FDE92326D617E96AA6ADB2DBE7EB2666B1A88451F9410B80A774377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{829BE0F1-69E1-42FD-A3B6-359E1C3C1345}MD5=B467C6E316631A8A0420CB9F40222D93,SHA256=55336E857424336DBC05D5B2B96AEAAE4D296B1D6D5B031A5869B25143624085,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{80A3BBAD-ABC2-4C9D-86E6-B04FA287F655}MD5=4174344A2D19128BADE81E2EB14BDC1D,SHA256=FC6C1C04EE333CB336B7DC428C25B995F7B85F49ADBDC88EBC7262C1307885FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{74B164BF-3E71-46AF-8ACB-AAA4A76A5378}MD5=349FE67C44E950D305D486C590998F2B,SHA256=B5832863667B94E5D9380583C2B626BC6969F8C9D362D2241F99C57ED5A4B157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E01E8CBDAB9277C7EEA1AF7B666A1071,SHA256=D93549C325383644DFCA24B3D3785035781C60B6C1A58A92B89E2E105FE9258A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{735E8BE6-1731-42CA-A8F3-B53E930EDCDB}MD5=18E3CA8C6CCA69E00EC76747FAB81F0B,SHA256=08148891128E558A6C3CD3EEEE68457F3D1A10F1A2720DE0A4E27D1543A4F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{72CE2732-257D-4200-8BC3-7ABC84224683}MD5=854754F8D9E7F7D9AAF2FA7F6BE1A1EF,SHA256=E6F4EFACF3E1CAD20C8245C7B9408E2BE2C2D6FD70B781F48A4BA22F067ED731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6D1CC60E-42DB-4A1B-A50C-DC1DF51BFBF1}MD5=5E74B43DD59C1AB6F5244DA6154DDEB4,SHA256=DB8971C2F98690196197BC5A5875D3233E0FBC7B512BFA60659E67D5296FE080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.112{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{6A253CE4-5CE2-4926-BF13-2F00787D2097}MD5=D9E99905D3D6FB42429AAF5DE84FCADA,SHA256=B8359F6E6BC9E16731B65A9F8253C86E846E9C1F951B1351CBD649FA6E286BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{552E6613-D145-4B51-A24E-3C8B003E24A4}MD5=C359A6183B25EF8221256AFEDCE656B8,SHA256=E9122C2C02DEBBB1AFF1FBFE30465AFAA0CFBD4EAE9C10AEA58A6663DEE9EE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{526402D0-291F-4761-931C-0273D14B2CF0}MD5=0CE681BD1598F07606E87609151DC42A,SHA256=1334CF9557C973A9F6AF7280C8C165C434A24947DE6E1647B27E62CB822FF31A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4FC5BD42-2CCF-4A96-AD8E-C83520ADB20F}MD5=922CD9F5F7320A813B0DAC1080EB7709,SHA256=346145F9100D8CA04CE7FC277D8775DF500D1FD1995F6CE28BBEEF685DFF04DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4E171B62-A785-4231-B14E-626B192185F0}MD5=0796DDBF4C9B9D94DC5FD03E92485F28,SHA256=DBC10BA43AA770F1D3A36F7CAC2B50AE664804F28214B792E3C56266D7E8F377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CC3BE49-DBA3-470D-94C8-20CE40F2BCAA}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4CA8F3BE-4DEC-4028-BAEF-6491FC4270C3}MD5=68F587A5B93845BD54716A6C6C932688,SHA256=3A319B5FA81F068C11959C024D08DADF279A00CA5C6B8C3F574C4DB64822AD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{4975E0B9-496B-4FF0-BC0E-1E06B22BDD96}MD5=C8B4FC8B8745BDE84005D690D3A026B2,SHA256=8779E3A2B6294AED675906209B8CD86FE1A79E0D3770AED38600278C29E6E55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{48A82B41-50A4-42D7-B403-B5D5FC29426F}MD5=164DF3D6F46E23E2FA08C9D8B57D071C,SHA256=2CEAF005435274273EB097157EA09E468BCD39ED9A7D63ECD04A0C6986B1528C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3F7F98FC-AA70-447B-8115-EB5A44909800}MD5=F4AF1310D8D92B88BAB00ECA2F49C398,SHA256=3130C6EC89917106856DA972EA6157791A6F8DD405164F86B7EF73F849A158DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3A0E2E7D-9FED-42CB-8877-33CF7980ECDA}MD5=544AC2AEF10A0AAC6646D5D372CC839A,SHA256=E402AAF80000D1AE4C9C731B2D45E9E1D707C1F9ED0935EF065968C47306E85E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{38A89348-B3AE-479E-9816-8957D41F333A}MD5=7E65C5A57A575C58A5405595565EA22E,SHA256=9FA31C4A02F57CEF0DE517567F7D218DA51B530A387E6198F25B60967C43AEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{33E693A3-517A-4347-A45E-3E8F1A25B030}MD5=1A1A2950F1D4A9770DF78E6CD2BCACC2,SHA256=28EA58D31BC5379C5760FC79481AFFAD0E1A132AAC6C794D8C849D6BDED9AE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{3039DC32-E634-4F64-AD60-9038F8E7D74E}MD5=D073912E2B55F885ADC380FB3849A88D,SHA256=3D6632DD180019CC415F024A5C0724886E4F5E90116E78F5B390E09475C8A1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{2D2370BB-9EFA-4648-B021-63A266D97A51}MD5=B590C6A1DBD4BAE99FED3744E0898536,SHA256=FEA47174536A406B031F040F394417218427405C4EB30558D6126A1AA79F6005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{24A5753E-C22E-49F4-BC08-F780BC6B1286}MD5=F3EFEAA4A73DB4D7D39C729FDE3305A7,SHA256=8C33FC0D66799635812F0F5F96B35C699ACAC5753DB1FFA89DA9520C81CAE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1F6412A2-2B23-4074-A89D-9586B3CFBF11}MD5=9A987ABDC3B59D4D4E488190C758BC8A,SHA256=F9B1BF1FC533A009213B23911DBA90DF8E914BB93C458D7A86C89D8546AE1FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{1CC42A14-06FE-4766-987D-39817BF3005F}MD5=3700764E031A12B2220A2C082EF7BBBE,SHA256=A772660D39E4150FB6017A0FDBDE096EB17128774678A018BFFEDCDB507101F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.065{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{19AC3423-5AC0-4CD7-9E2B-DB6C0DECE3C4}MD5=9001B10995D8FDABC78945D7B210649D,SHA256=92818CA4F5FB7F3808ABFDE9EFED7E2292FBE9195366132EDB50F3A246CA00B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.065{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\AppIconCache\100\{03152E59-DE8A-4AF5-8757-7FF15DC09A3C}MD5=25917526232EBDB7DE54634BFB5E6A33,SHA256=467251FCB3C564947AA615B69ECFC765763BBAA61B47CA13FD1895307E30125E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.065{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=A98EF91236D0A680740A3C0F10937087,SHA256=660FDBEDE1BFFF4F5F322F2DD862445A2BE9101828A32013843E5F6E0320D804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.065{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=CDD4A14258DC43D22C37F1E721AEC245,SHA256=0D9E19723D9ED66DD13CB8657808963130BAD94249F03228CCC68BB32FC360C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.065{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\appcache[1].manMD5=9C09D8D73BB5BB4E83BE6D75D117BCDA,SHA256=F34BC09B3486A486AABF2BE3A3E6728A5FCD17821CAF41CFAC78CE85A63C6AC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.050{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=F98851A644D901C32D1152CF001C2A30,SHA256=8A450F4631B7F451F470B7E7EF723A872C962749001C75AB1E9A01FC2765766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.050{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=5B7A3FBF6CE7627737B7AE8F7F73AF2B,SHA256=E5C8A584A8EF5082455DF1B7D986CDF9160F0A5AFA0EC6FD360EAAB9A1A8C5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.050{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=FF638505C57813F0F9115CB2F853BC07,SHA256=18695997D547308B565AA0D9AC8FDF8981966A47AF431DCC943BCC882AB6ECB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.050{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=E68A5D04BF606560BDC326154A025956,SHA256=C32FBB255C914DA8336038933E799C5FEC8D50A0661B78DAB9E312131E7B7637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.050{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=10D7D30E23DBC108EC78C03F9E741566,SHA256=99355DBE0DDE1F5390AF8BA6FEB736E85B00C13E8D08B560DFE2D7EC5465E8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D20D4B52F55421E4F0EE293FA394F274,SHA256=6594DB803F6BEAC699E3B4FE1BFFF9F1A6C8B7D1CB43A9A92A7D6979EE62B9ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=766B33AB225A94D22C45803D32D1D2C4,SHA256=8BF750226E7E4720AFCD86820D0752946ABB11DB79EF62AFFA61EEC941AB5C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=6B559E6B268CC53FC0293A706E970550,SHA256=9179C223831AE54A2A21E24B1BDBD1D06C00098FA2A664F476756CEFA56C71E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=87C5803AC86277335317BEEC5B252EF0,SHA256=8F7211EC0F4E0532DB653FECB4F605EB4C3C6C9879B138185DB4AAF7245646BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.034{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=1DE957E6ECB8E53F1849E98E56D5D8F8,SHA256=D60A1010C3D82CAABA7C755C3A6423D7A268BCDC9EA4F27B10E8E14FD84ACD24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.018{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=A6A758B9A843A9AE35166154D051C654,SHA256=59BEC20EBDB4ABAD19803E90044333A5781C755A3DDC0663A4A95E88AA0F45DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.018{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=4EA6D9CCAE439451E3EDC69589C21F52,SHA256=115EE9EFD86B0AB505977609DBC1409CAD55275ED187667B37C1F7453406AA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.018{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=7F25769992DF13C241A1F14C72781B7F,SHA256=C3F1170A49C7EE2CF721D222FA1F766543D0F69BBCB35BFA2C64453025365DA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.003{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D2ECB824C1EBD5CAD726A8FA730F83BD,SHA256=9BA9C472659B68EC59A470063958FCF4C1B9F95670B884F95FF690DA601CADA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.003{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=91784C62BBC0181E5D1A1939D62C7576,SHA256=7C5953F43236E76AD1EABF5FB4E75FDC98F73A7686BFF5C023843D16A53C2CA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:54.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=E15FA9A83F9216A78A5E4AE2C2C08305,SHA256=65E0957B6D224D885497EE696AA97F94FE98D8BFBBD4F927508ABD645A4182BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676383Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:54.114{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53505- 23542300x8000000000000000676382Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:55.879{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FE226B576FF450B9DE3F4848CD33A46,SHA256=5F75B3D139083C443D202092EB26C444B3AD345577EBFEF64095E29258114AF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676381Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:55.763{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72824308D64E229441078FB79FAF0301,SHA256=5B76DB9A44C6C8FC6AEA73B1779B32391628A127BB391A408C8B33529EBBE175,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676380Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:55.595{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-4A2D-00000000BA01}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.972{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.956{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.940{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.925{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.909{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.893{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.878{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.862{E1BD9FC2-8178-609D-3751-00000000BB01}33282760C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000575942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.862{E1BD9FC2-8178-609D-3751-00000000BB01}33282760C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000575941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324220C:\Windows\Explorer.EXE{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000575940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324212C:\Windows\Explorer.EXE{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000575939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324212C:\Windows\Explorer.EXE{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000575938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324220C:\Windows\Explorer.EXE{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000575937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324220C:\Windows\Explorer.EXE{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000575936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324220C:\Windows\Explorer.EXE{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000575935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.722{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000575925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.706{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000575924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.706{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.440{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.393{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.393{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7e4dca80246863e3.customDestinations-ms~RFa7ab466.TMPMD5=6852E3A0BF1C01BB4DBFCB51C1A7C087,SHA256=74D6D8C58D0BEB0716EEECDC55366E193186924A616E057CD210F4104E5D85E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.393{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\f01b4d95cf55d32a.customDestinations-ms~RFa7ab456.TMPMD5=B9BD716DE6739E51C620F2086F9C31E4,SHA256=7116FF028244A01F3D17F1D3BC2E1506BC9999C2E40E388458F0CCCC4E117312,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000575904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.362{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer (7).lnk2021-05-13 19:43:56.362 11241100x8000000000000000575903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.331{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer (7).lnk2021-05-13 19:43:56.331 13241300x8000000000000000575902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042SetValue2021-05-13 19:43:56.253{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x8000000000000000575901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4898084910B6B26F9356D485601FCEB2,SHA256=0663579B5FE488907D6787A5C72F341757EB773D2D969E5FC1FB1055E14D2B01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=240350CA9EB74AF7C00BFE2E31A42FAD,SHA256=D386EFADFE2741BA168F820F71F7EC80BF8690CE9060D2D6330A9F21883334CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.128{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000575886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.128{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000575885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.128{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000575884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.128{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000575883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.097{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.081{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.PrintDialog_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.065{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.050{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.034{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\MiracastView\microsoft.system.package.metadata\Autogen\JSByteCodeCache_64MD5=1036E3DDDC89A4E68D8A33F3823A180E,SHA256=FB5E512425FC9449316EC95969EBE71E2D576DBAB833D61E2A5B9330FD70EE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000575816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\Administrator\AppData\Local\Packages\Windows.MiracastView_cw5n1h2txyewy\Settings\settings.datMD5=A8308D2F3DDE0745E8B678BF69A2ECD0,SHA256=7FBB3E503ED8A4A8E5D5FAB601883CBB31D2E06D6B598460E570FB7A763EE555,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000575815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-8179-609D-4451-00000000BB01}32162664C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+114e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.018{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000575807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.681{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52881-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000575806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.419{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52880-false151.139.128.14-80http 354300x8000000000000000575805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.079{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52879-false151.139.128.14-80http 354300x8000000000000000575804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:53.036{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52878-false23.223.52.19a23-223-52-19.deploy.static.akamaitechnologies.com80http 354300x8000000000000000575803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.674{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52877-false151.139.128.14-80http 354300x8000000000000000575802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:52.655{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52876-false13.91.16.64-443https 10341000x8000000000000000575801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000575793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000575792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:55.987{E1BD9FC2-8179-609D-4451-00000000BB01}3216NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\AppReadiness\S-1-5-21-3056260599-3525860832-1735521891-500MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676384Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:56.778{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BF0AF9C592E2AC49BFE68208A3F5CA,SHA256=7BDE51F618F87F652781F2B1B2D7A9BE07C3AB143082B03A8662B8F1D6756423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000576287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2353488EF43B02455A2AB3E31C7A835C,SHA256=1A28A34256731106C5DE01DFCBD213F1B7B491DBE937D372B1B6A466D7F12FD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000576286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.847{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000576285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.815{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.815{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284660C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284660C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284628C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284628C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284624C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284624C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284608C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284628C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284628C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284632C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284624C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284632C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284624C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000576262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}3328940C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000576259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3851-00000000BB01}3560928C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284620C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}3328940C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284608C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33282760C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.800{E1BD9FC2-8178-609D-3751-00000000BB01}33282644C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.784{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000576252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.784{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.784{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.784{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.737{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324288C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x8000000000000000576217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324288C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x8000000000000000576216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324364C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x8000000000000000576215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324364C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x8000000000000000576214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.706{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.690{E1BD9FC2-8179-609D-4251-00000000BB01}39324316C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000576195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.690{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.690{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.612{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+baba5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.612{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+baba5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.612{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x8000000000000000576172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:57.597{E1BD9FC2-817D-609D-5051-00000000BB01}4352\TDLN-4352-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x8000000000000000576171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-CreatePipe2021-05-13 19:43:57.597{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348\TDLN-4352-41C:\Windows\system32\svchost.exe 10341000x8000000000000000576170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13483964C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13483964C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000576168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8178-609D-3851-00000000BB01}35602452C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8178-609D-3851-00000000BB01}35602452C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.550{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.518{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.440{E1BD9FC2-D2BA-609A-1300-00000000BB01}3802472C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.440{E1BD9FC2-D2BA-609A-1300-00000000BB01}3802472C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.331{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123652C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.331{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.331{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.159{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000576101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000576098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-8178-609D-3851-00000000BB01}35603816C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000576096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.143{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-8178-609D-3F51-00000000BB01}9562820C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000576076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-8178-609D-3F51-00000000BB01}9562820C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{E1BD9FC2-8178-609D-3A51-00000000BB01}1556C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000576075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.128{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.112{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.097{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8177-609D-3151-00000000BB01}2628C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000576049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2922B11690FE620011ED41C7D5BAF6E0,SHA256=4867F1D0DAAABEA6ECF6FF5BEE21BE1093E93D823BDB4A429A46047F964EEB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000576048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=10163ED626FE7D23CFE0EDC5B2262C86,SHA256=4C880947F5E4EE5082C9C26F74CF5557A6429D1800BA43AB6D1977723D21E477,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000576047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.003{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13483964C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.003{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13483964C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 18141800x8000000000000000576045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-ConnectPipe2021-05-13 19:43:57.003{E1BD9FC2-8179-609D-4251-00000000BB01}3932\TDLN-3932-41C:\Windows\Explorer.EXE 17141700x8000000000000000576044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-CreatePipe2021-05-13 19:43:57.003{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348\TDLN-3932-41C:\Windows\system32\svchost.exe 10341000x8000000000000000576043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.003{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13483964C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.003{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13483964C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000576041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676387Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:57.925{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A582F31B05FD15D976154A2D60C21033,SHA256=DD4F28EA25D59103530252956DF956246D8E8086EC2C922AC4362F73EDBA40C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676386Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:57.809{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D77CAF577EE72B4EC31C9401BE63DC,SHA256=9407AC3B86427CD8DCE5CF15322500008AFC9D80E1386D3D58FB22200605E0B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676385Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:55.113{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal52151- 11241100x8000000000000000576861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.972{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x8000000000000000576860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.972{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\appssynonyms.txtMD5=0159FA2FCDF8F84DB30198B1B3F95415,SHA256=4123D6B7736C9764973415C8F03F58E76FB2FB0A08E8F55CE9165C0C631C955E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000576859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.940{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d15ba|C:\Windows\System32\SHELL32.dll+84a34|C:\Windows\System32\SHELL32.dll+84688|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.940{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d15a8|C:\Windows\System32\SHELL32.dll+84a34|C:\Windows\System32\SHELL32.dll+84688|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x8000000000000000576857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.940{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d15a8|C:\Windows\System32\SHELL32.dll+84a34|C:\Windows\System32\SHELL32.dll+84688|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x8000000000000000576856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1122SetValue2021-05-13 19:43:58.940{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKCR\WOW6432Node\CLSID\{2A36ADCC-AABF-4EC4-996E-821AAFB0CA1B}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 13241300x8000000000000000576855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1122SetValue2021-05-13 19:43:58.940{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKCR\CLSID\{2A36ADCC-AABF-4EC4-996E-821AAFB0CA1B}\InProcServer32\(Default)%%SystemRoot%%\system32\shdocvw.dll 10341000x8000000000000000576854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.909{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000576853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.909{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000576852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.909{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\settingssynonyms.txt2021-05-13 19:43:58.909 11241100x8000000000000000576851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.909{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\appssynonyms.txt2021-05-13 19:43:58.909 11241100x8000000000000000576850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.909{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\settingsconversions.txt2021-05-13 19:43:58.909 11241100x8000000000000000576849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.909{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\appsconversions.txt2021-05-13 19:43:58.909 11241100x8000000000000000576848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.893{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\settingsglobals.txt2021-05-13 19:43:58.893 11241100x8000000000000000576847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.893{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\appsglobals.txt2021-05-13 19:43:58.893 11241100x8000000000000000576846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.878{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132654086386295415.txt2021-05-13 19:43:58.878 10341000x8000000000000000576845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.878{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000576844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.878{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.847{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000576718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.831{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000576682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000576650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.815{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000576642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000576590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.800{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000576570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.784{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+1a9001|C:\Windows\System32\TwinUI.dll+bade1|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+badc3|C:\Windows\System32\TwinUI.dll+bae62|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.753{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000576545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.722{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A9B0E8310073B24C5BD2E334D1056889,SHA256=B4DE19FC3D81876CAD21199E60B031F6112ADF78F711C97C0D9FBDAB2D2B23B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000576544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.706{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.643{E1BD9FC2-8178-609D-3851-00000000BB01}3560928C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.643{E1BD9FC2-8178-609D-3851-00000000BB01}3560928C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.643{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+6a1e1|C:\Windows\System32\combase.dll+6a0aa|C:\Windows\System32\combase.dll+6a251 10341000x8000000000000000576534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.628{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.597{E1BD9FC2-D2BA-609A-1100-00000000BB01}980496C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.597{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.565{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.550{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+bf29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4351-00000000BB01}1760172C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+beb1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b130|c:\windows\system32\appreadiness.dll+b71e|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000576489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f830|C:\Windows\System32\execmodelclient.dll+1e079|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+f98a|C:\Windows\System32\execmodelclient.dll+f8ac|C:\Windows\System32\execmodelclient.dll+1e05b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4351-00000000BB01}17603844C:\Windows\System32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\appreadiness.dll+4dc63|c:\windows\system32\appreadiness.dll+c033|c:\windows\system32\appreadiness.dll+b063|c:\windows\system32\appreadiness.dll+b680|c:\windows\system32\appreadiness.dll+b625|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x8000000000000000576486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8178-609D-3851-00000000BB01}35602452C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+6a1e1|C:\Windows\System32\combase.dll+6a0aa 10341000x8000000000000000576483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\combase.dll+6a1e1|C:\Windows\System32\combase.dll+6a0aa 10341000x8000000000000000576482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-8178-609D-3851-00000000BB01}35602452C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.534{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000576476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000576474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-8179-609D-4251-00000000BB01}39324260C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+182ce3|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-8179-609D-4251-00000000BB01}39324260C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+182ce3|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.518{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.503{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.503{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.503{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000576466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.503{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_CortanaIcon[1].pngMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000576465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.503{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\2\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_COOBE_COOBE[1].htmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-05-13 19:43:58.487 23542300x8000000000000000576463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_22[1].txt2021-05-13 19:43:58.487 11241100x8000000000000000576461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-05-13 19:43:58.487 23542300x8000000000000000576460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_21[1].txt2021-05-13 19:43:58.487 11241100x8000000000000000576458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-05-13 19:43:58.487 23542300x8000000000000000576457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_20[1].txt2021-05-13 19:43:58.487 11241100x8000000000000000576455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-05-13 19:43:58.487 23542300x8000000000000000576454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_19[1].txt2021-05-13 19:43:58.487 11241100x8000000000000000576452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-05-13 19:43:58.472 23542300x8000000000000000576451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_18[1].txt2021-05-13 19:43:58.472 11241100x8000000000000000576449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-05-13 19:43:58.472 23542300x8000000000000000576448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_17[1].txt2021-05-13 19:43:58.472 11241100x8000000000000000576446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-05-13 19:43:58.472 23542300x8000000000000000576445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_16[1].txt2021-05-13 19:43:58.472 11241100x8000000000000000576443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-05-13 19:43:58.472 23542300x8000000000000000576442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_15[1].txt2021-05-13 19:43:58.472 11241100x8000000000000000576440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-05-13 19:43:58.472 23542300x8000000000000000576439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_14[1].txt2021-05-13 19:43:58.472 11241100x8000000000000000576437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-05-13 19:43:58.472 23542300x8000000000000000576436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.472{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_13[1].txt2021-05-13 19:43:58.472 11241100x8000000000000000576434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-05-13 19:43:58.456 23542300x8000000000000000576433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_12[1].txt2021-05-13 19:43:58.456 11241100x8000000000000000576431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-05-13 19:43:58.456 23542300x8000000000000000576430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_11[1].txt2021-05-13 19:43:58.456 11241100x8000000000000000576428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-05-13 19:43:58.456 23542300x8000000000000000576427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_10[1].txt2021-05-13 19:43:58.456 11241100x8000000000000000576425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-05-13 19:43:58.456 23542300x8000000000000000576424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_9[1].txt2021-05-13 19:43:58.456 11241100x8000000000000000576422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-05-13 19:43:58.456 23542300x8000000000000000576421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_8[1].txt2021-05-13 19:43:58.456 11241100x8000000000000000576419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-05-13 19:43:58.456 23542300x8000000000000000576418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_7[1].txt2021-05-13 19:43:58.456 11241100x8000000000000000576416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-05-13 19:43:58.440 23542300x8000000000000000576415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_6[1].txt2021-05-13 19:43:58.440 11241100x8000000000000000576413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-05-13 19:43:58.440 23542300x8000000000000000576412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_5[1].txt2021-05-13 19:43:58.440 11241100x8000000000000000576410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-05-13 19:43:58.440 23542300x8000000000000000576409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_4[1].txt2021-05-13 19:43:58.440 11241100x8000000000000000576407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-05-13 19:43:58.440 23542300x8000000000000000576406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_3[1].txt2021-05-13 19:43:58.440 11241100x8000000000000000576404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-05-13 19:43:58.440 23542300x8000000000000000576403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000576402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.440{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\AppCache\UNBDVR11\1\C__Windows_SystemApps_Microsoft.Windows.Cortana_cw5n1h2txyewy_cache_Desktop_2[1].txt2021-05-13 19:43:58.440 10341000x8000000000000000576401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000576397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000576395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.425{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.409{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.409{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+14e60|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.268{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.268{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.268{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61acc|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.253{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.253{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.237{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.222{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.206{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817A-609D-4C51-00000000BB01}2344C:\Windows\system32\rundll32.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4651-00000000BB01}1988C:\Windows\System32\ie4uinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4151-00000000BB01}2992C:\Windows\system32\userinit.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\system32\svchost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3651-00000000BB01}3388C:\Windows\System32\rdpclip.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8178-609D-3551-00000000BB01}844C:\Windows\system32\TSTheme.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\deviceaccess.dll+2da89|C:\Windows\System32\deviceaccess.dll+1713b|C:\Windows\System32\deviceaccess.dll+17524|C:\Windows\System32\deviceaccess.dll+17485|C:\Windows\System32\deviceaccess.dll+18249|C:\Windows\System32\deviceaccess.dll+17fd6|C:\Windows\system32\windows.cortana.onecore.dll+bb0f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000576306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+b8fc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000576305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.175{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+c370|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.175{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000576302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba500|C:\Windows\System32\TwinUI.dll+b9e0e|C:\Windows\System32\TwinUI.dll+bae7e|C:\Windows\System32\TwinUI.dll+137c27|C:\Windows\System32\TwinUI.dll+1385af|C:\Windows\System32\TwinUI.dll+139427|C:\Windows\System32\TwinUI.dll+d2084|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12a3cc|C:\Windows\System32\TwinUI.dll+b60d4|C:\Windows\System32\TwinUI.dll+b1e1b|C:\Windows\System32\TwinUI.dll+d206a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+acea6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+7e00|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.081{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121260C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.081{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.034{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.034{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676390Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:58.825{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C65265F898AE24A1328E4B9AB48079F,SHA256=43AA8E72A23BD201EF8F77109CB3C247B943D6A747DD1248B471E222B7A194B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676389Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:56.113{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50758- 354300x8000000000000000676388Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:56.113{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51454- 23542300x8000000000000000577530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.628{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F28825671EB66CE5FEA1FBF7613CDBB,SHA256=5DE7189886CCE6321D68F83E80D8A70C08FD45B13334E953BF025783853F2155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.612{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C7278FEAEA062BE7F826AED2D064D2,SHA256=BBB3FDF3F87637D235E98D358B48969525C318D38EBDDA23BC7C2B5BCB307225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.612{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=635E2240E753F62E982D33176AF9B368,SHA256=551BCEF008049904DA0784976E3D372D0D30C09929EA961F8EC7CC2239848EEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5342e|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53398|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469 10341000x8000000000000000577506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a36f|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a36f|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a36f|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a34b|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a36f|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a34b|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a34b|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700 10341000x8000000000000000577498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a34b|C:\Windows\System32\windows.storage.dll+1076ad|C:\Windows\System32\windows.storage.dll+10849d|C:\Windows\System32\windows.storage.dll+10661a|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 10341000x8000000000000000577494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e 10341000x8000000000000000577490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 23542300x8000000000000000577489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\Apps.indexMD5=7784039EC305EA31362D25DB3AE7EC61,SHA256=54109FB49A7ECD14C5FFE6E83A631982873A6381E17B4AC4F72D3CACD20C48B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 10341000x8000000000000000577485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e 10341000x8000000000000000577481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 23542300x8000000000000000577480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\Apps.ftMD5=94E692C977F59C447BE42134A73B8D0B,SHA256=C2464B8520FF105F2E239C9F05D0EB3F99828E3DCAB31323CA0A108462EEDCED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 10341000x8000000000000000577476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e 10341000x8000000000000000577472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 23542300x8000000000000000577471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\Apps.dataMD5=A090923B7EB14A99C960EE609C40E301,SHA256=1ED71B74ED962938DA9FF7896E84C426B44BDD3EC6E75875E7887524DC71F8C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 10341000x8000000000000000577467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e 10341000x8000000000000000577463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 23542300x8000000000000000577462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.534{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\0.2.filtertrie.intermediate.txtMD5=C204E9FAAF8565AD333828BEFF2D786E,SHA256=D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 10341000x8000000000000000577458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e 10341000x8000000000000000577454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 23542300x8000000000000000577453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\0.1.filtertrie.intermediate.txtMD5=34BD1DFB9F72CF4F86E6DF6DA0A9E49A,SHA256=8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 10341000x8000000000000000577449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e 10341000x8000000000000000577445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+19ceda|C:\Windows\System32\windows.storage.dll+10a457|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+106385|C:\Windows\System32\windows.storage.dll+1067fb|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085 23542300x8000000000000000577444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\0.0.filtertrie.intermediate.txtMD5=9F3757DFB05EB26B8C947BA0FAA8905A,SHA256=4D41F1ADC79F8F1617075EB69E43EAAF1D208F87FB9052C45B7872E49A6620E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469 10341000x8000000000000000577440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+140f49|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+140f49|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.518{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+140f49|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12bcbb|C:\Windows\System32\windows.storage.dll+12db93|C:\Windows\System32\windows.storage.dll+12bbcc|C:\Windows\System32\windows.storage.dll+12f341|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12bc58|C:\Windows\System32\windows.storage.dll+12db74|C:\Windows\System32\windows.storage.dll+12bbcc|C:\Windows\System32\windows.storage.dll+12f341|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12cddb|C:\Windows\System32\windows.storage.dll+12c2b5|C:\Windows\System32\windows.storage.dll+12c092|C:\Windows\System32\windows.storage.dll+12f2fa|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+e5b79|C:\Windows\System32\windows.storage.dll+e5d04|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60e40|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ceeb|C:\Windows\System32\windows.storage.dll+5fb52|C:\Windows\System32\windows.storage.dll+60148|C:\Windows\System32\windows.storage.dll+19f863|C:\Windows\System32\windows.storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60513|C:\Windows\System32\windows.storage.dll+19f968|C:\Windows\System32\windows.storage.dll+19f849|C:\Windows\System32\windows.storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+e5b79|C:\Windows\System32\windows.storage.dll+e5d04|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 11241100x8000000000000000577420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8eb91905-6353-4ae7-85cb-92432110a7e9}\0.2.filtertrie.intermediate.txt2021-05-13 19:43:59.503 11241100x8000000000000000577419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.503{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8eb91905-6353-4ae7-85cb-92432110a7e9}\0.1.filtertrie.intermediate.txt2021-05-13 19:43:59.503 11241100x8000000000000000577418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.487{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8eb91905-6353-4ae7-85cb-92432110a7e9}\0.0.filtertrie.intermediate.txt2021-05-13 19:43:59.487 11241100x8000000000000000577417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\Appssynonyms.txt2016-04-15 08:09:24.000 23542300x8000000000000000577416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.456{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7da2213a-c48d-46ff-a1ca-43d1db6c6243}\Appssynonyms.txtMD5=E0A816AC76A000337939EECA71DDBF4B,SHA256=0B824366DC8A6C3CA501D0E43AF140657B7E6F465E81B8D1FD4F30CC5409B067,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.425{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000577414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.425{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000577413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.409{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132654086392869054.txt2021-05-13 19:43:59.409 10341000x8000000000000000577412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.393{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000577287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.378{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000577251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000577219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000577211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.362{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000577159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+115a9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12f31|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12de3|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12cd7|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+12ba9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1151a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009 10341000x8000000000000000577139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+182c9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+18280|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11417|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.347{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.284{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.284{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.284{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.284{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+5bb0|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.284{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.284{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.268{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.190{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.159{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.159{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.143{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.143{E1BD9FC2-8178-609D-3751-00000000BB01}33285196C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817C-609D-4F51-00000000BB01}4172C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 13241300x8000000000000000577121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}3328C:\Windows\System32\RuntimeBroker.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{FBF23B40-E3F0-101B-8488-00AA003E56F8} {000214FA-0000-0000-C000-000000000046} 0xFFFFBinary Data 10341000x8000000000000000577120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.128{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33283052C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33283052C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284984C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000577077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284984C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 10341000x8000000000000000577074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284820C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284820C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284136C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284136C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 354300x8000000000000000577037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:57.160{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52884-false52.242.211.89-443https 354300x8000000000000000577036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.875{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52883-false13.91.16.64-443https 354300x8000000000000000577035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:56.822{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52882-false20.190.154.17-443https 10341000x8000000000000000577034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282936C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282936C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285124C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285124C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283244C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283244C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284984C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4 10341000x8000000000000000577004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285128C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285128C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285124C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284984C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\system32\windows.cortana.onecore.dll+16127|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 10341000x8000000000000000576993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284772C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285124C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284772C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284160C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284160C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284972C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282440C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284972C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282440C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283244C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283244C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285084C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285084C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33281060C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33281060C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282504C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282504C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284972C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282936C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284972C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33282936C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284668C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}3328844C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284668C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}3328844C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}3328908C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}3328908C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285044C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284820C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284820C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33281820C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284428C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33281820C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284428C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284744C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284160C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284160C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285068C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285068C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285080C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284136C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285080C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284136C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284724C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284724C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+f0026|C:\Windows\System32\windows.storage.dll+f1988|C:\Windows\system32\windows.cortana.Desktop.dll+fa1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000576926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285084C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285084C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285068C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285068C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285080C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284756C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.097{E1BD9FC2-8178-609D-3751-00000000BB01}33285080C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285068C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285068C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284852C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5d020|C:\Windows\System32\windows.storage.dll+6c004|C:\Windows\System32\windows.storage.dll+178ceb|C:\Windows\system32\windows.cortana.Desktop.dll+fcba|C:\Windows\system32\windows.cortana.Desktop.dll+f91b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000576912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285084C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285084C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285072C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284724C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284724C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285052C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285052C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284668C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284668C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285052C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285052C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284772C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284772C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285036C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285028C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33285024C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284768C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284768C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284724C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284668C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284724C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284668C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284772C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284772C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284764C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000576873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.081{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.034{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12bcbb|C:\Windows\System32\windows.storage.dll+12db93|C:\Windows\System32\windows.storage.dll+12bbcc|C:\Windows\System32\windows.storage.dll+12f341|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000576871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.034{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12bc58|C:\Windows\System32\windows.storage.dll+12db74|C:\Windows\System32\windows.storage.dll+12bbcc|C:\Windows\System32\windows.storage.dll+12f341|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000576870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.034{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12cddb|C:\Windows\System32\windows.storage.dll+12c2b5|C:\Windows\System32\windows.storage.dll+12c092|C:\Windows\System32\windows.storage.dll+12f2fa|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000576869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.034{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+e5b79|C:\Windows\System32\windows.storage.dll+e5d04|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000576868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.018{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60e40|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000576867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.018{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ceeb|C:\Windows\System32\windows.storage.dll+5fb52|C:\Windows\System32\windows.storage.dll+60148|C:\Windows\System32\windows.storage.dll+19f863|C:\Windows\System32\windows.storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000576866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.018{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60513|C:\Windows\System32\windows.storage.dll+19f968|C:\Windows\System32\windows.storage.dll+19f849|C:\Windows\System32\windows.storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000576865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.018{E1BD9FC2-8178-609D-3751-00000000BB01}33284740C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+e5b79|C:\Windows\System32\windows.storage.dll+e5d04|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 11241100x8000000000000000576864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.003{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\0.2.filtertrie.intermediate.txt2021-05-13 19:43:59.003 11241100x8000000000000000576863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.003{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\0.1.filtertrie.intermediate.txt2021-05-13 19:43:59.003 11241100x8000000000000000576862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.003{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{6fbc3877-1f70-4298-bf5b-cc05d103c455}\0.0.filtertrie.intermediate.txt2021-05-13 19:43:59.003 23542300x8000000000000000676394Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:59.825{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF91EB24243BC884BAFDA1D421FA216,SHA256=2E473330F75C695E968D2150EC4A2F6620D49966CED443728BEA83B83E666C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676393Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:59.210{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D6B49DE3D181C7ED42D9402740A8619,SHA256=BF635C0B039493E1F2AD0BE0E3FCEBB52B92C6787F3FDAF9C5590025F6879E0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676392Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:57.719{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal51822- 354300x8000000000000000676391Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:57.427{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal54335- 354300x8000000000000000577535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.696{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52885-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000577534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.610{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:f8e0:e2b9:8de5:ffff-54218-truee000:fc:0:0:5047:b34b:f97f:0-5355llmnr 354300x8000000000000000577533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.610{E1BD9FC2-D2BA-609A-1400-00000000BB01}388C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:c1a8:3628:a9d6:2a9win-host-681.attackrange.local54218-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000577532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.610{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-nsfalse10.0.1.15win-host-681.attackrange.local137netbios-ns 354300x8000000000000000577531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:58.610{E1BD9FC2-D2B7-609A-0100-00000000BB01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-681.attackrange.local137netbios-nsfalse10.0.1.255ip-10-0-1-255.us-west-2.compute.internal137netbios-ns 23542300x8000000000000000676397Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:00.878{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0A70059EB88591E94C25B0B9954E9A1,SHA256=7D03F71F5F09FB712DF2312EE7D56C29E05FB6FFFA83E057A280CEFD6AB6DF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676396Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:00.844{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BE47AA755E850ED8622EF2A4A95AD1E,SHA256=2F27553D9AA1BA94D37CC4398F7AA1045D672CC3BB2D8788984EFCF95F58A6BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676395Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:58.454{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51287-false10.0.1.12-8000- 10341000x8000000000000000577544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.722{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.722{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.722{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.472{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5342e|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.472{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53398|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.472{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.472{E1BD9FC2-8178-609D-3651-00000000BB01}33883256C:\Windows\System32\rdpclip.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000577537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.362{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=784F5008CF3766A431C3CD68230C0999,SHA256=3808E92A66FF26D5A834B58824F9A5A92482F71A5F6BD71FB604B0DFF856FD87,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000577536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.505{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52886-false104.86.5.150a104-86-5-150.deploy.static.akamaitechnologies.com80http 354300x8000000000000000676403Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:00.147{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58375- 23542300x8000000000000000676402Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:01.861{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B28CE514718D8FF09F751C98634E55E,SHA256=8355F98BEA1787AF3C5C568D3F00AE54A0A40AA2166A9D037EECB651C6AFAAA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676401Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:00.096{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal50517- 354300x8000000000000000676400Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:59.367{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal59194- 354300x8000000000000000676399Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:59.224{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal63795- 354300x8000000000000000676398Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:43:59.222{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal57593- 354300x8000000000000000577557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.990{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52890-false104.86.5.150a104-86-5-150.deploy.static.akamaitechnologies.com80http 354300x8000000000000000577556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.867{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52889-false104.86.5.150a104-86-5-150.deploy.static.akamaitechnologies.com80http 354300x8000000000000000577555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.743{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52888-false104.86.5.150a104-86-5-150.deploy.static.akamaitechnologies.com80http 354300x8000000000000000577554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:43:59.640{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52887-false52.247.37.26-80http 13241300x8000000000000000577553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:44:02.112{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe\REGISTRY\A\{97a2ddb0-2754-181b-8d4d-77e7ca180405}\Root\InventoryDevicePnp\swd/scdeviceenumbus/1\DriverVerVersion10.0.14393.0 13241300x8000000000000000577552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:44:02.097{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe\REGISTRY\A\{97a2ddb0-2754-181b-8d4d-77e7ca180405}\Root\InventoryDevicePnp\swd/scdeviceenumbus/0\DriverVerVersion10.0.14393.0 13241300x8000000000000000577551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:44:02.097{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe\REGISTRY\A\{97a2ddb0-2754-181b-8d4d-77e7ca180405}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2mouse0\DriverVerVersion10.0.14393.0 13241300x8000000000000000577550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localInvDB-DriverVerSetValue2021-05-13 19:44:02.097{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe\REGISTRY\A\{97a2ddb0-2754-181b-8d4d-77e7ca180405}\Root\InventoryDevicePnp\terminput_bus/umb/2&2c22bcc9&0&session2keyboard0\DriverVerVersion10.0.14393.0 10341000x8000000000000000577549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:02.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:02.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:02.018{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:02.018{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:02.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8181-609D-5251-00000000BB01}5408C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676413Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.876{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB4BC99E3AB6B2A7B19BFAE8774ED306,SHA256=B2EAEB6D9402CE63E221B05245AC38899647E64DCAAD1DB2283CF7E44851DC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676412Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.692{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=7B0D42DB05469C577653CE198B786844,SHA256=179ADD177177F995B955782F79E1D182E5E9D362063240CD88643E6025AACDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676411Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.692{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E4AEA33279F57900292DC01EFEC8D0AF,SHA256=FA48EB35D761D14A2EB4AB0EA8A95DDF6AA7B5BDA538848314A79009533ED552,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676410Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.676{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=78F5277FCE4E6D9428165B8B02A58150,SHA256=C4AB21028900598321BCE3DD60E6CB0ACA9D98C47F200BC54B7C478B923ED280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676409Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.676{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=64A6CD0154DEEA66C90FDDF0068AC9C8,SHA256=B875F8E534B89CDB65FDC8299CC49C8112CFC772CBD0D1B97EA5D68F4CC013F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676408Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.676{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=8593E9041CB02973566AB63A3AB07EAC,SHA256=9BE4F2EE7150D5FCC1697E020242443F16F5A12A1D35EBC50AD2F4ED7BDC622B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676407Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.676{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5F1C90C5FFE81DEB07A41418B3DA05E5,SHA256=E32962136D8F9901A7D30FB892C75EAB6381AA556A3B9001C1D154863350EF4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676406Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.676{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4139EE7B1094BC75E75A2DE1E722AFF3,SHA256=6B84A7F38A04AB15E37B5872218D1509F15BF0765779976291A2AD4D99657424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676405Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.676{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D87C89A0FA131864BFABF3F74C2D17B9,SHA256=3468B92FEC32C03FC5FF21A00C5C62DE4E782AD2580BCFEB6DE5289BE58F6E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676404Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.223{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5CEBB08CF10D0E5BA8BE3A7A5F752C5,SHA256=5D02169514B7AB217C1350D8E993B677303DF0846AD007972E8650887D4BF997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-8179-609D-4251-00000000BB01}39324100C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-8179-609D-4251-00000000BB01}39324100C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000577560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 22542200x8000000000000000577559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:01.003{E1BD9FC2-D2BA-609A-1000-00000000BB01}972tsclient9003-C:\Windows\System32\svchost.exe 23542300x8000000000000000577558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A79080B150F0795072C4E56E788B96BC,SHA256=D208E44A7D8E732E68C1BE9A8D9C770B189FB4B75AD18A17D13954195007F75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676414Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:03.879{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE15DA251524723BA9E4E49B7C1F26F,SHA256=E2A7AA8FC85D66F8811048CDC76D17E8DF6F5673D2EEE4BE4B7C14EF8D119B66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.643{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.643{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.643{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.643{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+2a3301|C:\Windows\System32\windows.storage.dll+f5a83|C:\Windows\System32\windows.storage.dll+f5afa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.643{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+2ca4e2|C:\Windows\System32\windows.storage.dll+5ed75|C:\Windows\System32\windows.storage.dll+f5366|C:\Windows\System32\windows.storage.dll+2a3263|C:\Windows\System32\windows.storage.dll+f5a83|C:\Windows\System32\windows.storage.dll+f5afa|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 10341000x8000000000000000577614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+e7c73|C:\Windows\System32\windows.storage.dll+e73e5|C:\Windows\System32\windows.storage.dll+e72f9|C:\Windows\System32\windows.storage.dll+e7292|C:\Windows\System32\windows.storage.dll+5b9fd|C:\Windows\System32\windows.storage.dll+ddfd6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06 10341000x8000000000000000577613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60513|C:\Windows\System32\windows.storage.dll+5bbcc|C:\Windows\System32\windows.storage.dll+5bb23|C:\Windows\System32\windows.storage.dll+5b99b|C:\Windows\System32\windows.storage.dll+ddfd6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba 10341000x8000000000000000577612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ceeb|C:\Windows\System32\windows.storage.dll+12acc5|C:\Windows\System32\windows.storage.dll+ddfb8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x8000000000000000577611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-8178-609D-3751-00000000BB01}33284996C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12ac99|C:\Windows\System32\windows.storage.dll+ddfb8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+dbd49|C:\Windows\System32\windows.storage.dll+dbb75|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.628{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.331{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.331{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.331{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.112{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.112{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.112{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284624C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284624C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33284612C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+3cdcb|C:\Windows\System32\combase.dll+3e2d2|C:\Windows\System32\combase.dll+636f3|C:\Windows\System32\combase.dll+3e4dd|C:\Windows\System32\combase.dll+61a3f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x8000000000000000577587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.097{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7 10341000x8000000000000000577586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.050{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7282520C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8179-609D-4251-00000000BB01}39324100C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8179-609D-4251-00000000BB01}39324100C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.003{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:03.987{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676418Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:04.894{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=336C684A8CBA23F32D9F79D93157DA55,SHA256=0291958492E338D7A014CED8FCEBBC6A8F315F43EA3742F6F5F618BBA8E1ED6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676417Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:02.410{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal61677- 354300x8000000000000000676416Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:01.394{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal55949- 23542300x8000000000000000676415Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:04.245{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85529F41BDF2AD14D8FECC824FB48BEB,SHA256=28DC7E932445A6F5CCE3768D2AEAE17C763BB632F4441779C14ACDB3239FFF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:05.643{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C70270D57665384716824489760E78A,SHA256=A3B7D125A022D7DC2FF0CD971960C7DA591689FEFE4B8C938D5819FDFFC08002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676419Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:05.895{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181CBD1A28E871E5C99703569E8ECE47,SHA256=B11E3110C36C1BE8DEB4FB4902AAD33C8941CFB51CC2736E4D61F585753B571C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000577629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:04.696{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52891-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000577628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.487{E1BD9FC2-8179-609D-4251-00000000BB01}3932WIN-HOST-681\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpgMD5=CF7BB7C73EEBF9504B46C827ED064F60,SHA256=F46620F73F2ABAFCB3622CE5B672314F18350E92B7BD6C765CAE5556A994550B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.487{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.487{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.472{E1BD9FC2-8179-609D-4251-00000000BB01}39324312C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.472{E1BD9FC2-8179-609D-4251-00000000BB01}39324312C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:06.472{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676421Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:06.910{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8992CA5EB6BC04B1074886046A85585,SHA256=9DAAFDC6D52773BF2B80753E8C7943AA35822CA32A4F71C8458827A6CD8037BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676420Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:03.484{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51288-false10.0.1.12-8000- 10341000x8000000000000000577635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:07.299{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484544C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000577634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:07.299{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484544C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:07.299{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:07.299{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:07.299{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:07.299{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000676423Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:07.924{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE7339DF705001F47C42E12C743BC6D,SHA256=2C17D189A8636C0CBD6D3053ED49CA6C30192E25597C44987785BED9E941247D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676422Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:07.694{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDB1C65A75F2894B756BC366F7CC4BAF,SHA256=68AA8C2D0E0F2E182AD1FFF7B79C8C9E7807350BE102867655AEDAA4EE20E4E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676429Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:08.943{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B31A93F4E57E03795387C1AABB1DB5,SHA256=6CC1B7E6BD33EAB73094E7279E7DD93E52D1CA77F3D86F292197279796F42B1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676428Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:08.808{7B03F3B2-37B7-609D-644C-00000000BA01}5805656C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cea0|C:\Program Files\Mozilla Firefox\firefox.exe+2c9f3|C:\Program Files\Mozilla Firefox\firefox.exe+40d80|C:\Program Files\Mozilla Firefox\firefox.exe+40a7c|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676427Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:08.524{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676426Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:08.524{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676425Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:08.524{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676424Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:08.508{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000577668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.533{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=328A780439C3CC9B3D1B4C5F6FF52F4E,SHA256=5D60F79AA6D2CBE75C7DF789F369C8CDDD4A412AEECA7917D2CA0D5B14C157FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-8189-609D-5451-00000000BB01}55645584C:\Windows\system32\conhost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.252{E1BD9FC2-8189-609D-5351-00000000BB01}55565560C:\Windows\system32\cmd.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000577660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.254{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x8000000000000000577659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.236{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.236{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.236{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.236{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.236{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324364C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324364C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324364C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324364C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.221{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.205{E1BD9FC2-8189-609D-5451-00000000BB01}55645584C:\Windows\system32\conhost.exe{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.205{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8189-609D-5451-00000000BB01}5564C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.190{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.190{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.190{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.190{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.190{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.190{E1BD9FC2-8179-609D-4251-00000000BB01}39325348C:\Windows\Explorer.EXE{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000577636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.202{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000676431Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:09.959{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0C75BD50606C5CE2F8E8F1FC1DB462,SHA256=C10ABD72E757E700B929420F11C3A2E1569A71CBAB8ADF7FB9107CAB5D8F4C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676430Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:09.875{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB30C1D7A6A4FA05201CE850B27D8229,SHA256=30ABA0D4AE5E295450539E1E47A89161ED706D62D7169E28287E1566BA2A79E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.439{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.439{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.393{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.393{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000577673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-CreatePipe2021-05-13 19:44:10.330{E1BD9FC2-8189-609D-5551-00000000BB01}5612\PSHost.132654086492541203.5612.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000577672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.236{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_b4bzu4m0.pmr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.236{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l0f2f1sw.byq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000577670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.096{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_l0f2f1sw.byq.ps12021-05-13 19:44:10.096 10341000x8000000000000000577669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.064{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676457Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+16ccef2|C:\Program Files\Mozilla Firefox\xul.dll+16b0c43|C:\Program Files\Mozilla Firefox\xul.dll+17aec82|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21 10341000x8000000000000000676456Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+120715e|C:\Program Files\Mozilla Firefox\xul.dll+16b1fec|C:\Program Files\Mozilla Firefox\xul.dll+69224b|C:\Program Files\Mozilla Firefox\xul.dll+17aeb52|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21|C:\Program Files\Mozilla Firefox\xul.dll+2c2a2c0|C:\Program Files\Mozilla Firefox\xul.dll+62d9e1|C:\Program Files\Mozilla Firefox\xul.dll+2de0715|C:\Program Files\Mozilla Firefox\xul.dll+2de5890|C:\Program Files\Mozilla Firefox\xul.dll+2de56f1 10341000x8000000000000000676455Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+690c09|C:\Program Files\Mozilla Firefox\xul.dll+690b14|C:\Program Files\Mozilla Firefox\xul.dll+6908fd|C:\Program Files\Mozilla Firefox\xul.dll+690534|C:\Program Files\Mozilla Firefox\xul.dll+17aeb33|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f 10341000x8000000000000000676454Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+16ccef2|C:\Program Files\Mozilla Firefox\xul.dll+16b0c43|C:\Program Files\Mozilla Firefox\xul.dll+17aec82|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21|C:\Program Files\Mozilla Firefox\xul.dll+2c2a2c0 10341000x8000000000000000676453Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+120715e|C:\Program Files\Mozilla Firefox\xul.dll+16b1fec|C:\Program Files\Mozilla Firefox\xul.dll+69224b|C:\Program Files\Mozilla Firefox\xul.dll+17aeb52|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21|C:\Program Files\Mozilla Firefox\xul.dll+2c2a2c0|C:\Program Files\Mozilla Firefox\xul.dll+62d9e1|C:\Program Files\Mozilla Firefox\xul.dll+2de0715|C:\Program Files\Mozilla Firefox\xul.dll+2de5890|C:\Program Files\Mozilla Firefox\xul.dll+2de56f1|C:\Program Files\Mozilla Firefox\xul.dll+2de5277 10341000x8000000000000000676452Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+690c09|C:\Program Files\Mozilla Firefox\xul.dll+690b14|C:\Program Files\Mozilla Firefox\xul.dll+6908fd|C:\Program Files\Mozilla Firefox\xul.dll+690534|C:\Program Files\Mozilla Firefox\xul.dll+17aeb33|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb 10341000x8000000000000000676451Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+16ccef2|C:\Program Files\Mozilla Firefox\xul.dll+16b0c43|C:\Program Files\Mozilla Firefox\xul.dll+17aec82|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21 10341000x8000000000000000676450Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+120715e|C:\Program Files\Mozilla Firefox\xul.dll+16b1fec|C:\Program Files\Mozilla Firefox\xul.dll+69224b|C:\Program Files\Mozilla Firefox\xul.dll+17aeb52|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21|C:\Program Files\Mozilla Firefox\xul.dll+2c2a2c0|C:\Program Files\Mozilla Firefox\xul.dll+62d9e1|C:\Program Files\Mozilla Firefox\xul.dll+2de0715|C:\Program Files\Mozilla Firefox\xul.dll+2de5890|C:\Program Files\Mozilla Firefox\xul.dll+2de56f1 10341000x8000000000000000676449Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+690c09|C:\Program Files\Mozilla Firefox\xul.dll+690b14|C:\Program Files\Mozilla Firefox\xul.dll+6908fd|C:\Program Files\Mozilla Firefox\xul.dll+690534|C:\Program Files\Mozilla Firefox\xul.dll+17aeb33|C:\Program Files\Mozilla Firefox\xul.dll+17aea84|C:\Program Files\Mozilla Firefox\xul.dll+68fa77|C:\Program Files\Mozilla Firefox\xul.dll+17abf14|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17b587d|C:\Program Files\Mozilla Firefox\xul.dll+17a9e08|C:\Program Files\Mozilla Firefox\xul.dll+17aa25f|C:\Program Files\Mozilla Firefox\xul.dll+6800fd|C:\Program Files\Mozilla Firefox\xul.dll+65869f 10341000x8000000000000000676448Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+690c09|C:\Program Files\Mozilla Firefox\xul.dll+690b14|C:\Program Files\Mozilla Firefox\xul.dll+6908fd|C:\Program Files\Mozilla Firefox\xul.dll+690534|C:\Program Files\Mozilla Firefox\xul.dll+3021a51|C:\Program Files\Mozilla Firefox\xul.dll+3021559|C:\Program Files\Mozilla Firefox\xul.dll+3025257|C:\Program Files\Mozilla Firefox\xul.dll+30273cf|C:\Program Files\Mozilla Firefox\xul.dll+67fe56|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21|C:\Program Files\Mozilla Firefox\xul.dll+2c2a2c0|C:\Program Files\Mozilla Firefox\xul.dll+62d9e1|C:\Program Files\Mozilla Firefox\xul.dll+2de0715 10341000x8000000000000000676447Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.459{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-37B9-609D-664C-00000000BA01}4572C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3f8761|C:\Program Files\Mozilla Firefox\xul.dll+11f6f41|C:\Program Files\Mozilla Firefox\xul.dll+1228a69|C:\Program Files\Mozilla Firefox\xul.dll+1228989|C:\Program Files\Mozilla Firefox\xul.dll+122607d|C:\Program Files\Mozilla Firefox\xul.dll+1226524|C:\Program Files\Mozilla Firefox\xul.dll+16cbe91|C:\Program Files\Mozilla Firefox\xul.dll+690c09|C:\Program Files\Mozilla Firefox\xul.dll+690b14|C:\Program Files\Mozilla Firefox\xul.dll+6908fd|C:\Program Files\Mozilla Firefox\xul.dll+690534|C:\Program Files\Mozilla Firefox\xul.dll+3021a51|C:\Program Files\Mozilla Firefox\xul.dll+3021559|C:\Program Files\Mozilla Firefox\xul.dll+3025257|C:\Program Files\Mozilla Firefox\xul.dll+30273cf|C:\Program Files\Mozilla Firefox\xul.dll+67fe56|C:\Program Files\Mozilla Firefox\xul.dll+65869f|C:\Program Files\Mozilla Firefox\xul.dll+64ebcb|C:\Program Files\Mozilla Firefox\xul.dll+2c2af21|C:\Program Files\Mozilla Firefox\xul.dll+2c2a2c0|C:\Program Files\Mozilla Firefox\xul.dll+62d9e1|C:\Program Files\Mozilla Firefox\xul.dll+2de0715 10341000x8000000000000000676446Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.406{7B03F3B2-37B7-609D-644C-00000000BA01}5803432C:\Program Files\Mozilla Firefox\firefox.exe{7B03F3B2-3EC3-609D-5A4D-00000000BA01}6112C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+506f1|C:\Program Files\Mozilla Firefox\xul.dll+2a65add|C:\Program Files\Mozilla Firefox\xul.dll+2a655a7|C:\Program Files\Mozilla Firefox\xul.dll+da3043|C:\Program Files\Mozilla Firefox\xul.dll+d9b1aa|C:\Program Files\Mozilla Firefox\xul.dll+40c6e|C:\Program Files\Mozilla Firefox\xul.dll+1224b30|C:\Program Files\Mozilla Firefox\xul.dll+11fca9f|C:\Program Files\Mozilla Firefox\xul.dll+3f49e|C:\Program Files\Mozilla Firefox\xul.dll+3d19c8|C:\Program Files\Mozilla Firefox\xul.dll+3d073f|C:\Program Files\Mozilla Firefox\xul.dll+3a1d1aa|C:\Program Files\Mozilla Firefox\xul.dll+3aba26f|C:\Program Files\Mozilla Firefox\xul.dll+3abb5e9|C:\Program Files\Mozilla Firefox\xul.dll+3f33|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c4e8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676445Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.374{7B03F3B2-31A0-609C-522D-00000000BA01}18763864C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676444Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.374{7B03F3B2-31A0-609C-522D-00000000BA01}18763864C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676443Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.343{7B03F3B2-D0CA-609A-1400-00000000BA01}10761472C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676442Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.343{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000676441Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.343{7B03F3B2-31A0-609C-522D-00000000BA01}18762412C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000676440Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.337{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676439Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.337{7B03F3B2-31A0-609C-522D-00000000BA01}18761140C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676438Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.321{7B03F3B2-31A0-609C-522D-00000000BA01}18761140C:\Windows\Explorer.EXE{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676437Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.321{7B03F3B2-31A0-609C-522D-00000000BA01}18767628C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676436Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.321{7B03F3B2-31A0-609C-522D-00000000BA01}18767628C:\Windows\Explorer.EXE{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676435Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.321{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676434Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.321{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676433Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.306{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676432Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.306{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000577709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.939{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D1CC2857B054C857A6B80F009F8591,SHA256=C2C9171FD852CECCD842D9D244438B2CBA64BE65EB0CEB7DB31A48C0001E7DC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000577708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:09.773{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52892-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000577707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.627{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.dllMD5=5C1B60F219C4FA15E59AD7E285F38ED4,SHA256=D28ABE1A9D17BC64AB62C233A84792BF0DB06B2884FF5A7002FEC97D39396DB9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000577706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.627{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.627{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.cmdlineMD5=FCE1EDC2A4B342E56830A6EAF8C8651E,SHA256=3BEA9488B7B9846E00E9F2F659CEFED32EE14D53F7540BD5AC9E42AAA38B1E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.627{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.outMD5=91AFFFC3F9839DBC7FEFBC4454E5C66F,SHA256=9F2F6031A3A63F7379E933A745AE8B0739B4521B980186AFEC5D276EE13B649C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.627{E1BD9FC2-818B-609D-5651-00000000BB01}5768WIN-HOST-681\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\CSC8F2942DBDB34019A4E2226A9596708E.TMPMD5=AE8EBE64F17948BA3FF9BB15C11EFD68,SHA256=D988C572CCD2B7D0ACE3E958C2BDAD5E943EA605A395924B688BA520DF08077F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000577702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localDLL2021-05-13 19:44:11.627{E1BD9FC2-818B-609D-5651-00000000BB01}5768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.dll2021-05-13 19:44:11.377 23542300x8000000000000000577701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.627{E1BD9FC2-818B-609D-5651-00000000BB01}5768WIN-HOST-681\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-818B-609D-5651-00000000BB01}5768WIN-HOST-681\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESEFC9.tmpMD5=7D2FB82346EF294424B4748B3F4CD4A3,SHA256=D6926554EC75251A53DF81E297845C4041C243EC959F26DED844D7323F6E2727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-818B-609D-5751-00000000BB01}5796WIN-HOST-681\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\RESEFC9.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-8189-609D-5451-00000000BB01}55645584C:\Windows\system32\conhost.exe{E1BD9FC2-818B-609D-5751-00000000BB01}5796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-818B-609D-5751-00000000BB01}5796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.611{E1BD9FC2-818B-609D-5651-00000000BB01}57685772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{E1BD9FC2-818B-609D-5751-00000000BB01}5796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000577691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.612{E1BD9FC2-818B-609D-5751-00000000BB01}5796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\2\RESEFC9.tmp" "c:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\CSC8F2942DBDB34019A4E2226A9596708E.TMP"C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{E1BD9FC2-818B-609D-5651-00000000BB01}5768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.cmdline" 10341000x8000000000000000577690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-8189-609D-5451-00000000BB01}55645584C:\Windows\system32\conhost.exe{E1BD9FC2-818B-609D-5651-00000000BB01}5768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-818B-609D-5651-00000000BB01}5768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.424{E1BD9FC2-8189-609D-5551-00000000BB01}56125724C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-818B-609D-5651-00000000BB01}5768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d9461|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+7d886a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\41c61395b8ebbe159552045c07ea1195\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff9dd0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\41c61395b8ebbe159552045c07ea1195\Microsoft.PowerShell.Commands.Utility.ni.dll+ffff9dd0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1b0114bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1afeb47d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1afeb0b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1bac2726(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1afa802a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1b00ba9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1afedaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1afedaab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+1afedc2b(wow64)|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+16ee92 154100x8000000000000000577683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.398{E1BD9FC2-818B-609D-5651-00000000BB01}5768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.cmdline"C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper -Initial" 11241100x8000000000000000577682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.377{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.cmdline2021-05-13 19:44:11.377 11241100x8000000000000000577681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localDLL2021-05-13 19:44:11.377{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\3vf54z5w\3vf54z5w.dll2021-05-13 19:44:11.377 23542300x8000000000000000577680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D1CC2857B054C857A6B80F009F8591,SHA256=C2C9171FD852CECCD842D9D244438B2CBA64BE65EB0CEB7DB31A48C0001E7DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9D1DF6E4621AB1CF7069FFDBB69030,SHA256=BAAAAA3ECF8EC463C3C573CA89E0ADF2DA9C893A1F5868C535A74707DC722F99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.018{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EC84300068C35F4CF500EC1CD1415ACA,SHA256=0A295C1FA46BCDB0F28B825A5ABAFA19F15B8C12CC0587AED591CAC115DD00C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676460Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:11.457{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FC7FDA2D25FF38DCE96D4759B35F1AA,SHA256=85A363B51E9A2392E3913B3F26C6B030F549108186975C974A54E4E83D2DF20D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676459Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:11.320{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C8AD55A2CFE530F39967890C13B8C5,SHA256=A05A52D65A234F620CF41C0FC25B2045B20E0CCB1EB8D27BBDE7F1544B642EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676458Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:09.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51289-false10.0.1.12-8000- 23542300x8000000000000000577733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.877{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6CD1651F299933C6BA9F0B7C2FDEA1,SHA256=3E5EB75AA20FA63EE98B483D3BE9EA01E32FDE901BEE647465AA474DC843CECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000577732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:10.134{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52893-false72.21.91.29-80http 23542300x8000000000000000577731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-8189-609D-5351-00000000BB01}5556WIN-HOST-681\AdministratorC:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmdMD5=6F31D86A88379966303FF5E580AC09C9,SHA256=D6EC54010FC20FADFE76B05AE3DDBCAB1C3134F462C4ED615C32B571A2930D38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-8189-609D-5451-00000000BB01}55645584C:\Windows\system32\conhost.exe{E1BD9FC2-818C-609D-5951-00000000BB01}5868C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.721{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-818C-609D-5951-00000000BB01}5868C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-8189-609D-5351-00000000BB01}55565560C:\Windows\system32\cmd.exe{E1BD9FC2-818C-609D-5951-00000000BB01}5868C:\Windows\system32\findstr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+4917|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000577723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.719{E1BD9FC2-818C-609D-5951-00000000BB01}5868C:\Windows\System32\findstr.exe10.0.14393.0 (rs1_release.160715-1616)Find String (QGREP) UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationFINDSTR.EXEfindstr /v DELETEME C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=15B171EC73E7B71F4EBB4247E716271E,SHA256=2956F7BC863498DFCC868CE7DF4C9C131A4A5C17B065658456AFEF7566ACE1EE,IMPHASH=D7962312082AAB17974D6817E09E5D7A{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 10341000x8000000000000000577722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-8189-609D-5451-00000000BB01}55645584C:\Windows\system32\conhost.exe{E1BD9FC2-818C-609D-5851-00000000BB01}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000577721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT10232021-05-13 19:44:12.705{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\system32\cmd.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd2021-05-13 19:44:12.705 10341000x8000000000000000577720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-818C-609D-5851-00000000BB01}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.705{E1BD9FC2-8189-609D-5351-00000000BB01}55565560C:\Windows\system32\cmd.exe{E1BD9FC2-818C-609D-5851-00000000BB01}5860C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+c3f6|C:\Windows\system32\cmd.exe+484b|C:\Windows\system32\cmd.exe+c378|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000577714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.716{E1BD9FC2-818C-609D-5851-00000000BB01}5860C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /S /D /c" type "C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" "C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E1BD9FC2-8189-609D-5351-00000000BB01}5556C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetupInit.cmd" " 23542300x8000000000000000577713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.689{E1BD9FC2-8189-609D-5551-00000000BB01}5612WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.580{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.033{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:12.033{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676469Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19249DA6CFB914DB3CAD436BD4E48574,SHA256=A48143D0244DBABBE6FC017261F3550FA23B8FD1D799AC1D294577CFCC998B1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676468Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.847{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-18.attackrange.local51290-false66.203.125.12bt2.api.mega.co.nz443https 354300x8000000000000000676467Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:10.743{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal58690- 23542300x8000000000000000676466Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.157{7B03F3B2-49CE-609C-4B30-00000000BA01}6852ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=C029838AC715317CE5764B14825AF72A,SHA256=8DBF9AD35434827A6F8CD8E3AB0097A8A4FE8EE8A60285A2FD13525397BD83D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676465Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.072{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-49CE-609C-4B30-00000000BA01}6852C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676464Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.072{7B03F3B2-31A0-609C-522D-00000000BA01}18765196C:\Windows\Explorer.EXE{7B03F3B2-49CE-609C-4B30-00000000BA01}6852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676463Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.072{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-49CE-609C-4B30-00000000BA01}6852C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676462Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.072{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-49CE-609C-4B30-00000000BA01}6852C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676461Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:12.072{7B03F3B2-31A0-609C-522D-00000000BA01}18763640C:\Windows\Explorer.EXE{7B03F3B2-49CE-609C-4B30-00000000BA01}6852C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000577749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.401{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52899-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000577748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.398{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52898-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000577747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.396{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52897-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000577746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.393{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52896-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000577745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.381{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52895-false169.254.169.254instance-data.us-west-2.compute.internal80http 354300x8000000000000000577744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:11.366{E1BD9FC2-8189-609D-5551-00000000BB01}5612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52894-false169.254.169.254instance-data.us-west-2.compute.internal80http 10341000x8000000000000000577743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-8178-609D-3851-00000000BB01}3560928C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:13.596{E1BD9FC2-8178-609D-3851-00000000BB01}3560928C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676471Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:13.287{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CF2E929151962AE29EB71E56370608A,SHA256=D6BBB10470D32A30D9D573A291051EDF42381D4399A5E27E400AA368A0739440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676470Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:13.272{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408D96E52635381C722D872517969E4D,SHA256=C3529F6CDE0FF35A65A677B135DF8EB3796A4A1950E42E516EFBD1E1D38D327F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.689{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DC438AEE3B8B7C37E0B60E78BC600786,SHA256=A3AB53DAF3470A4B949AC523E062E14F421ED8FCE9B3C8D2FAE098E252C77BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.689{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F9B4904E255423A325B954047FFE31C0,SHA256=EB50E78EC97F20D5256EF1C289A4C6B1ED0DE0D9AC9BCB7F7B2A4F912649515F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.689{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC93DFF1632015308CB1BABAEEAB0DC,SHA256=BCE5AD574D86A3C0764E73C876F0A8308567BEF0FD512D50BCB9EBDE5C53AA28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.689{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E2BCBF2D6160A4DD9E0B8AE5961EB2B,SHA256=000B75F19F9DDE6D42A543A419CC07A95EFED815D7FFE0023559B1A91B3B9B25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.674{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.674{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.674{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.674{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.674{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.674{E1BD9FC2-8178-609D-3851-00000000BB01}35604892C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.643{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.643{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484528C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000577751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.643{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484528C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.643{E1BD9FC2-8178-609D-3851-00000000BB01}35604892C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676475Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:14.355{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E2D7CB7AB8C88D788F52B61354BB66F,SHA256=29B1B1FDC5B33DA70CB712BE8B564E81C4DDC6447683CED5D34C4D20E4EB0EFE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000676474Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.localInvDBSetValue2021-05-13 19:44:14.255{7B03F3B2-D0CA-609A-1300-00000000BA01}92C:\Windows\System32\svchost.exeHKU\S-1-5-21-789690981-2482995664-2390229051-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Notepad++\notepad++.exeBinary Data 11241100x8000000000000000676473Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:14.235{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txt2021-05-13 14:34:13.883 23542300x8000000000000000676472Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:14.235{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\SiteSecurityServiceState.txtMD5=C56CB905EF0EADF59242BC6F8AC3B9C7,SHA256=0991268D76FAA595C3F596BAC6B050FB2F6E8742D880955253EE24AD37DBD997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676486Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.801{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676485Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.801{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676484Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.801{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676483Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.801{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676482Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.801{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676481Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.801{7B03F3B2-31A0-609C-492D-00000000BA01}34162672C:\Windows\system32\sihost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676480Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.617{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676479Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.617{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000676478Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.617{7B03F3B2-D0CA-609A-0C00-00000000BA01}8564308C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000676477Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.369{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB0A398B363DDE84E6D106551431D38,SHA256=1472B979E78797339F7B85C4F09738FF3A92373D05D41E78EA345073D9284714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676476Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:15.254{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E032D89D385AA8579B0A5EA483C098B,SHA256=B07BA93DDB98ECD897A8F837FAF9097544BC0DDA706DD02C702356EB2687DED4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000577767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:14.789{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52900-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000577766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:16.549{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B70BDAC1CDB63036E5F87E87A433DF7,SHA256=59BCB9FE4F346506A4EAEEE54BF7995776EAB25E4ECC497C1E79EBB9A6883867,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676488Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:14.462{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51291-false10.0.1.12-8000- 23542300x8000000000000000676487Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:16.384{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC983286A444B80F3677079CFA8379B4,SHA256=E7375D79A63EE4832EB1930E8824B58F3AAEC0EE9389F62C411FC40309535E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676489Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:17.415{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8984039DC8347138040B0B6F6FF55D3,SHA256=A380F1519906BC76497057917785F5B34C342276D11D7754D9DE644709C2C9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:18.236{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E899D1E38D194E9C1A77089730234857,SHA256=79BE91473BFF00D3AE78FF39A7DACD223E372630B394F7CDA1358E70ED0D243D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676490Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:18.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D76311690F4E2552B3E2B33794E0607,SHA256=4015433F8253B0177A975D80189E5379111ED310DFB7F8A1D5719B602CCF2C70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.518{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-8193-609D-5A51-00000000BB01}5996C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.502{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8193-609D-5A51-00000000BB01}5996C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8193-609D-5A51-00000000BB01}5996C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.502{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8193-609D-5A51-00000000BB01}5996C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.502{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8193-609D-5A51-00000000BB01}5996C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.502{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8193-609D-5A51-00000000BB01}5996C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+5342e|C:\Windows\System32\shell32.dll+84762|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\shell32.dll+53398|C:\Windows\System32\shell32.dll+84762|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+5337a|C:\Windows\System32\shell32.dll+84762|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+5337a|C:\Windows\System32\shell32.dll+84762|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\shell32.dll+d15ba|C:\Windows\System32\shell32.dll+84a34|C:\Windows\System32\shell32.dll+84688|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d15a8|C:\Windows\System32\shell32.dll+84a34|C:\Windows\System32\shell32.dll+84688|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.455{E1BD9FC2-817A-609D-4C51-00000000BB01}23441332C:\Windows\system32\rundll32.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\shell32.dll+d15a8|C:\Windows\System32\shell32.dll+84a34|C:\Windows\System32\shell32.dll+84688|C:\Windows\system32\AppXDeploymentExtensions.OneCore.dll+5d1fe|C:\Windows\system32\rundll32.exe+3b0c|C:\Windows\system32\rundll32.exe+6097|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000577772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.393{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEC:\Users\Administrator\Desktop\sluipoc.ps12021-05-13 19:44:19.393 11241100x8000000000000000577771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.299{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEC:\Users\Administrator\Desktop\slui.ps12021-05-13 19:44:19.299 13241300x8000000000000000577770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:19.221{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x8000000000000000577769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:19.205{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA301B86AEE577D1CCD7D6A037FE9597,SHA256=B83CC42D773922EDC5A2EA42AA9E657FC9067DA7702283006B73C723E56EEC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676491Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:19.451{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B39C8C8B02F40C31605421CE56B148B7,SHA256=E22EE8DBC4EE97B30093EA503CED0CE7FD79A361BA8129C77E88F2E8553CA295,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:20.174{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=192BB092493D8458704E84C339178503,SHA256=00DE401E0416BCC95D434EE3EDE85F407A229696E0223F407A2F9485E9C69FDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:20.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3D38D71D78E002456819C47D580BFC02,SHA256=C8FFBFB53F0FE0BA7F9276980C9B357E9B27BC9965BB38D9917A19DA251692B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:20.127{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0F5CEC3EFB19BEE5B6A81AA4040C720,SHA256=9A2C981528E0715EE8BA1DFBE10DCF72983D62AE095B611C472C9EECAB91B25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676492Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:20.465{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2379E62B963A886282FD38C95B13C6A,SHA256=A807574AB324A3A9B4AC7B38C11D3008C94564B6D81A962388BAFD7C77E5F63D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000577791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:21.893{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74830-0x5eece6af) 23542300x8000000000000000577790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:21.189{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2127E08E10A3512155D3B173F4D04E7B,SHA256=77A37FFFE1D215778C2DA9535041D0F54CFD7FEE90C0AD0E12069D21C765FBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:21.096{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36EF4B400986F867605E2F8CDE6ECF31,SHA256=A01A3A31F837E6E40D47F887F57D9FC7159045B93BED18ACE68838CD1D27CD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676495Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:21.496{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1F84BC0EBCC5A25B9B97520F416C6B,SHA256=888FE940FF4E715D397E71AEFD34A9FFF0D51BFE601322194B87C210A0DBEA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676494Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:21.081{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F57C4C5778D72CB0C50936D44A13E71,SHA256=B1837A4F62AEA94D4B128790E3F7C6450FB63B1938E86585095F7E1FA29C027A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676493Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:21.081{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA6BA64D9025B1EFA9F509119C05B33,SHA256=B5C8605851185564830F61EB024F881E2387A4BE1B228839CE09E08AE4480C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676506Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.711{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F57C4C5778D72CB0C50936D44A13E71,SHA256=B1837A4F62AEA94D4B128790E3F7C6450FB63B1938E86585095F7E1FA29C027A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676505Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:20.311{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51292-false10.0.1.12-8000- 23542300x8000000000000000676504Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.549{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D87EA235EE76181C92A058A501908D72,SHA256=7CDB4A07E4BAA65F71E564974FD504D0B2B5D820D88415C3D00435B9FC38EB1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000577826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:20.836{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52901-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000577825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.612{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.612{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.612{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.612{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484528C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000577813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484528C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x8000000000000000577812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324100C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.580{E1BD9FC2-8179-609D-4251-00000000BB01}39324100C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37528|C:\Windows\System32\TwinUI.dll+37448|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 10341000x8000000000000000577794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.565{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57c95|C:\Windows\System32\TwinUI.dll+37590|C:\Windows\System32\TwinUI.dll+37435|C:\Windows\System32\TwinUI.dll+38893|C:\Windows\System32\TwinUI.dll+36e6d|C:\Windows\System32\TwinUI.dll+36c71|C:\Windows\System32\TwinUI.dll+3fb990|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0 23542300x8000000000000000577793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.252{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35A39241C7AB1D33AD4E559FD868A940,SHA256=2569499551514A85E6336607D51675B10026D9FC4E417ADDD423CD7A6FF8894C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:22.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D899466E6750542697E2E1E87CBB38FF,SHA256=933E68CAD49B786EC9C239E5C9809C2C92396EEF667F75C67ADC76AFB7696362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676503Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=57F9151A7901C2CC65419EEA70B1B999,SHA256=9D06062FB870197874F03C369DB7335E54D10CF286C60CCCB8CE90189E6CE5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676502Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=27830F2C559EFBE62DD531FC241531B7,SHA256=89F876133976EA78DFA25D042AF7C1F7AD239494B86D90DD2686D8A9B084E54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676501Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AE7FE12A64AEBFBBE7621DFBE6574023,SHA256=1F4CCD9E6B84DD3B7E9506F2F5B608C87448C797569659E589C9F9E910F0A334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676500Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=49A26A3F39FF9F511EBE90C94AD483F2,SHA256=E1E230F5013560E90C37318C0520897E2FE4DAAA48120CC719101F4D18D91B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676499Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0F0EDED68917A01C6E05D0FB11632894,SHA256=D9CF50094DC6DA046A9171AF05F88FEDFF716A5C9A637E58566E31B58B2E9E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676498Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=EC0E8699F1067054CAB6910D5F57F17A,SHA256=EEF62B0B14F1EB84D0AA39184B39B7755D0E1EDE997041CE2BE742B7857F60DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676497Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4F08524D3E9181601D5CD82C6CF30F15,SHA256=633DB6CED26053BAE3E77772AD4D3C46E28178ED56DC9C8220360B3B98CB52D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676496Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:22.249{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B1FEA0E584B7E3EECE1A16A6A41107D9,SHA256=1515740F12519832FA42AECA34EB6D7F4FB21AAB34373F8EB7242D1AC8CACDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:23.518{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2637EF19C5CB6607B5675E58603DB5E4,SHA256=D086043CBC509F4792DB2332BE152308BDDEF633E00A22DAA713C55B02551E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676507Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:23.564{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C625EC7D7876A9295DED0A7051B424AE,SHA256=C4E0E063CEB852896E775108C501A7449906B8D0815C1E3E1D25FFBD8F3B6AE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8179-609D-4251-00000000BB01}39324260C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+182ce3|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8179-609D-4251-00000000BB01}39324260C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+182ce3|C:\Windows\SYSTEM32\ntdll.dll+80a24|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000577831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000577830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.893{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000577828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:24.659{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EFC4CF3B767BBA0B9A7D51736F7482F,SHA256=67FFA043A2F0DC3FC78B693552C89149BBB9B3ACF637ADB7267F4FC2959420B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676508Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:24.578{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=581EF4A1B6A8F202EAE080769D2169C7,SHA256=865EE488AB680E53188F07BCB9F62F29816CD3708E3EE699AF2C9FE60913E703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676511Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:25.594{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B1E6C0E32B2D224EFB97A1EFD784D0,SHA256=EBA6827A5550101DEC13072A6E968FFB53BEB093D32205E6F75616705DC6BD80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.950{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B56E39F0183F2986F97FD831795E15,SHA256=181413239AD6BEF69497C9DACF476D917A0B85247D5539B762D734A525683380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8199-609D-5D51-00000000BB01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000577936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4FC83C3F0D3BC8E5578948020EABC8,SHA256=9312FD3CD058E9CB27A30F2BB5C1D3E58605A186EA4759CD11D8B9330CD53D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8199-609D-5D51-00000000BB01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.919{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8199-609D-5D51-00000000BB01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000577929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.795{E1BD9FC2-8199-609D-5D51-00000000BB01}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000577928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.716{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.716{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.716{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+103381|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5342e|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53398|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5337a|C:\Windows\System32\SHELL32.dll+84762|C:\Windows\System32\SHELL32.dll+8dd6a|C:\Windows\System32\windows.storage.dll+1571ed|C:\Windows\System32\windows.storage.dll+156e33|C:\Windows\System32\windows.storage.dll+1031a0|C:\Windows\System32\windows.storage.dll+102e7a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103fa8|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33282936C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.669{E1BD9FC2-8178-609D-3751-00000000BB01}33282936C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285196C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285196C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+103f85|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469 10341000x8000000000000000577900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+106750|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700 10341000x8000000000000000577896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+109614|C:\Windows\System32\windows.storage.dll+19ac9e|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1 10341000x8000000000000000577895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a4c2|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469 10341000x8000000000000000577894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a4c2|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469 10341000x8000000000000000577893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a4c2|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac 10341000x8000000000000000577892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+10a9c6|C:\Windows\System32\windows.storage.dll+10a4c2|C:\Windows\System32\windows.storage.dll+19ac59|C:\Windows\System32\windows.storage.dll+107123|C:\Windows\System32\windows.storage.dll+106b50|C:\Windows\System32\windows.storage.dll+106592|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700 10341000x8000000000000000577891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469 10341000x8000000000000000577888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+10673b|C:\Windows\System32\windows.storage.dll+10190e|C:\Windows\System32\windows.storage.dll+104108|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040c4|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.653{E1BD9FC2-8178-609D-3751-00000000BB01}33285000C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+141061|C:\Windows\System32\windows.storage.dll+140f8c|C:\Windows\System32\windows.storage.dll+10425b|C:\Windows\System32\windows.storage.dll+1041f1|C:\Windows\System32\windows.storage.dll+1040a3|C:\Windows\System32\windows.storage.dll+103bed|C:\Windows\System32\windows.storage.dll+102e6a|C:\Windows\System32\windows.storage.dll+15630e|C:\Windows\System32\windows.storage.dll+156085|C:\Windows\System32\windows.storage.dll+665ac|C:\Windows\System32\windows.storage.dll+66700|C:\Windows\System32\windows.storage.dll+e91f1|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33285792C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12bcbb|C:\Windows\System32\windows.storage.dll+12db93|C:\Windows\System32\windows.storage.dll+12bbcc|C:\Windows\System32\windows.storage.dll+12f341|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33285792C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12bc58|C:\Windows\System32\windows.storage.dll+12db74|C:\Windows\System32\windows.storage.dll+12bbcc|C:\Windows\System32\windows.storage.dll+12f341|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33285792C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+12cddb|C:\Windows\System32\windows.storage.dll+12c2b5|C:\Windows\System32\windows.storage.dll+12c092|C:\Windows\System32\windows.storage.dll+12f2fa|C:\Windows\System32\windows.storage.dll+12e61c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+e5b79|C:\Windows\System32\windows.storage.dll+e5d04|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33285792C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60e40|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c|C:\Windows\System32\windows.storage.dll+e8a82|C:\Windows\System32\windows.storage.dll+e6469|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33285792C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ceeb|C:\Windows\System32\windows.storage.dll+5fb52|C:\Windows\System32\windows.storage.dll+60148|C:\Windows\System32\windows.storage.dll+19f863|C:\Windows\System32\windows.storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c 10341000x8000000000000000577873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33285792C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+60513|C:\Windows\System32\windows.storage.dll+19f968|C:\Windows\System32\windows.storage.dll+19f849|C:\Windows\System32\windows.storage.dll+60e25|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e907c|C:\Windows\System32\windows.storage.dll+e8a82 10341000x8000000000000000577872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.638{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.storage.dll+5d181|C:\Windows\System32\windows.storage.dll+5ce7c|C:\Windows\System32\windows.storage.dll+e5b79|C:\Windows\System32\windows.storage.dll+e5d04|C:\Windows\System32\windows.storage.dll+615c6|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x8000000000000000577871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.622{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000577870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.622{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x8000000000000000577869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.622{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt2021-05-13 19:44:25.622 10341000x8000000000000000577868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.622{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.622{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.606{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.606{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.606{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.606{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000577862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.591{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UAL791KE\microsoft.windows[1].xmlMD5=E6ED8F7A14412863E743F412885BBAA7,SHA256=0EDC10881609C00BE622F4357C1D153131DE4CC64A50295F3600B4E12DAAE73C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.591{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5C51-00000000BB01}5548C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.591{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5C51-00000000BB01}5548C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.585{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5C51-00000000BB01}5548C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.581{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.581{E1BD9FC2-8178-609D-3751-00000000BB01}33283872C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.581{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8199-609D-5C51-00000000BB01}5548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.577{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8199-609D-5C51-00000000BB01}5548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.577{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5C51-00000000BB01}5548C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.549{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5B51-00000000BB01}4176C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.549{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5B51-00000000BB01}4176C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.549{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5B51-00000000BB01}4176C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.534{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-8199-609D-5B51-00000000BB01}4176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.534{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8199-609D-5B51-00000000BB01}4176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.534{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8199-609D-5B51-00000000BB01}4176C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35af2|c:\windows\system32\rpcss.dll+3c90d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000577847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.534{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UAL791KE\microsoft.windows[1].xmlMD5=E6ED8F7A14412863E743F412885BBAA7,SHA256=0EDC10881609C00BE622F4357C1D153131DE4CC64A50295F3600B4E12DAAE73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.534{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UAL791KE\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.518{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x8000000000000000577844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.518{E1BD9FC2-8178-609D-3751-00000000BB01}33284420C:\Windows\System32\RuntimeBroker.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+ae6fa|C:\Windows\System32\combase.dll+a54bd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+64de3|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000577843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.377{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UAL791KE\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.362{E1BD9FC2-817D-609D-5151-00000000BB01}4476WIN-HOST-681\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UAL791KE\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.362{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000577840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.362{E1BD9FC2-8179-609D-4251-00000000BB01}39323852C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF800A385D8C8)|UNKNOWN(FFFFA4974D2B4A38)|UNKNOWN(FFFFA4974D2B4BB7)|UNKNOWN(FFFFA4974D2AF241)|UNKNOWN(FFFFA4974D2B0C0A)|UNKNOWN(FFFFA4974D2AEEC6)|UNKNOWN(FFFFF800A3574E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.284{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.284{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 23542300x8000000000000000577837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:25.174{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB794B5B54F04513DEB111EB8801D6D2,SHA256=F51660970D9037F1F2495F73A0441D7F508AEEB56CF38B9B9FE6DBA7097D56EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676510Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:25.431{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676509Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:25.310{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5153EA88B6BD3A4758999948C244DE7,SHA256=09E41E592A5C5E509513A8C2708E0971397B0C9ABBA2587D5BC2FC0EB14EB77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676518Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:26.846{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676517Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:26.846{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=0219BDF094B86B7DC7247E9BA3D0FAFB,SHA256=08CCE7D67479612AE9E419227175908BABBE639EAB8585E221748956C1228B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676516Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:26.627{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA6D11FB45DE9DDD363020413E93334,SHA256=CB79923D8B823687DBEE23796D4E57A4FBFECC8BCD6DDD0F2C80F12C12DAB356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.983{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.983{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000578016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-CreatePipe2021-05-13 19:44:26.968{E1BD9FC2-819A-609D-5F51-00000000BB01}5704\PSHost.132654086667888173.5704.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000578015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.968{E1BD9FC2-819A-609D-5F51-00000000BB01}5704WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_donwllgo.yci.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.952{E1BD9FC2-819A-609D-5F51-00000000BB01}5704WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ilu0pdbu.thn.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000578013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.936{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_ilu0pdbu.thn.ps12021-05-13 19:44:26.936 10341000x8000000000000000578012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.936{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+141a87|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1419f2|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+1419d7|C:\Windows\System32\windows.storage.dll+1413b3|C:\Windows\System32\windows.storage.dll+141239|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+171086|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}57045708C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+171074|C:\Windows\System32\windows.storage.dll+14130c|C:\Windows\System32\windows.storage.dll+1410e8|C:\Windows\System32\windows.storage.dll+53721|C:\Windows\System32\windows.storage.dll+53669|C:\Windows\System32\windows.storage.dll+175f6|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.905{E1BD9FC2-819A-609D-5F51-00000000BB01}5704WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFa7b2b9a.TMPMD5=8554CEE29C03241DFB5882E9984AA700,SHA256=FB6542D6D734A4D8C127624D80AED6D404A14B78F01E3564E0322ACDDB2A2FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.874{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.858{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.858{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.858{E1BD9FC2-819A-609D-5E51-00000000BB01}56245620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+133d4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+133d4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.843{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.811{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.811{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.811{E1BD9FC2-819A-609D-6051-00000000BB01}57245736C:\Windows\system32\conhost.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.796{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.796{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba300|C:\Windows\System32\TwinUI.dll+ba677|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000577981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.796{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8179-609D-4251-00000000BB01}39324312C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8179-609D-4251-00000000BB01}39324312C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8179-609D-4251-00000000BB01}39324284C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109196|C:\Windows\System32\TwinUI.dll+82af7|C:\Windows\System32\TwinUI.dll+beb2e|C:\Windows\System32\TwinUI.dll+beaf9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.780{E1BD9FC2-8179-609D-4251-00000000BB01}39324120C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\windows.storage.dll+2d1b2|C:\Windows\System32\windows.storage.dll+2cea9|C:\Windows\System32\windows.storage.dll+2cd7f|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+1740bf 154100x8000000000000000577967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.788{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Administrator\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000577966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000577963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x8000000000000000577962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1e1c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000577961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.765{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1D00-00000000BB01}1348C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-819A-609D-5E51-00000000BB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-819A-609D-5E51-00000000BB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000577953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.702{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-819A-609D-5E51-00000000BB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000577952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.576{E1BD9FC2-819A-609D-5E51-00000000BB01}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000577951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.685{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D47806705E7516F6040E05EAFF6D812,SHA256=8767D1B261FC688C3498CD438E7A25516C381549A22F7BFEB60E0BCCCF2D5379,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676515Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:25.324{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51294-false10.0.1.12-8000- 354300x8000000000000000676514Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:24.540{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51293-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000676513Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:24.540{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51293-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000676512Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:26.428{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7390FD80FF3D1E86D3385F566DC4C12,SHA256=4F8503DF7013CB94ED8838BDB6EE0E855E114BAE44DCAF126ECB072DF1C2561B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000577950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.528{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8C5C06F2A3549738C00B6B7CEDAAF9A,SHA256=4C973F390F781A11A48408736D0A81E7F951BFF7EF857D249501BCA2EED55BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000577949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.060{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.060{E1BD9FC2-8178-609D-3851-00000000BB01}35604892C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000577943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.013{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.013{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.013{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000577940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.013{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484528C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000577939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.013{E1BD9FC2-D2BA-609A-1D00-00000000BB01}13484528C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x8000000000000000578030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.968{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=06EFD946132D2DE79B51BB7127D7D874,SHA256=6E546D01AAA91581D2DE9E0817D2AB3A2445CE59B82043AEE783489923FF564A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.874{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3086E1526F48CE5CED57D4219810807,SHA256=7BC52E99C66B5643A2ED9FF69E8AF7779384B668F06F0103D64DC60DB56A1604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676521Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:27.646{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6266693587D52C88187DA7FC8F035AC2,SHA256=1B548EFAE315052D6440B4D9B772506471E2643B6269D8707AC4FB67E5352B21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676520Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:27.546{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25E08CF56D0E47BF775A608427789022,SHA256=FD4C500022EB3D8D4269F4768B8C298F7515B84B6D499589493C2BEDAC8987C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676519Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:25.655{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51295-false10.0.1.12-8089- 23542300x8000000000000000578028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.593{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1BD2611F34A1C7BC11A1F249929BA9C,SHA256=72ACF4EEBEECEFFC8DDEDCB373B1226EA381FE13341F8C99CBDD1D4EC6D4855C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-819B-609D-6151-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-819B-609D-6151-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.499{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-819B-609D-6151-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.375{E1BD9FC2-819B-609D-6151-00000000BB01}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:27.062{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28A28A5104A1133ED78F3BC8E1B47EC,SHA256=D7A1E9C97A120F4F26DAB3748CC0F9FD9904905E245B524F4DB7FB8D0CCA81EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:28.874{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75747161B1CD2EEB6B05668E48E7F4B5,SHA256=2F8F2F14EC368EAC0E44DFEAA117210785DC0764DDB67A122F3EB3947FD4ED5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676522Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:28.660{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0113750114EB13079EE07E6EE26B57,SHA256=0EB4160434CF340B5FCCB7DCA27EA7BCCB9C3F85B7C57BE39B8B4AE46CEFFFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:28.671{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76B65DF7506970FE7D827D956DD7F87A,SHA256=5FF41E32B84BD10BF30572CED35D111565573A016D9BD15F074C494673118A68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:29.890{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4182D60C581C489F0072A80C9CA4BA3,SHA256=E73C61C0687E39F7932B6DC8A02A2EC7A555CBEF77CA5B71AA24B2A8CD7E7967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676523Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:29.674{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB85B6786C538201FE678883F7B52AC,SHA256=A732CDAB434E2EE1FCF5D95CAC7E01D94A68DA89AEC6D0F793C28471C6F3C078,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000578034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:29.436{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2021-05-13 19:44:29.436 354300x8000000000000000578033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:26.833{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52902-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.936{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970B736665B4D20BE5EFF6068719C093,SHA256=80090FA1C76714FF032A05B0BD2A9CD069931891BFA9B76DBB2156AF8EC3A516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676524Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:30.705{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB1DFCE00C7B2F4AF4D496822FAF1B0E,SHA256=3159F2CB4AD1A078B9F44D7BD606BACD76FB65DA40590E0E80DD18C398A5863A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.405{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.405{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.405{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.405{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000578038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.312{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BE1A44FF2862027B4DF694F17B23002B,SHA256=A9D8EDC55E66744C8D8C9293B36F3EA4D2420A2EE1E76F9D55971FCC0AE60782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:30.265{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E888188C45EAA6409E6F38EA132DADE,SHA256=84113E89A0E918E11BCC593CC238CE5045FC3E93D67B008835F3E3C61F03CD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:29.999{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676530Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.741{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B9886804EF0C606E64B7C76B0F2987,SHA256=AFDBA4D42354E59BB41B29998A5052905D00D4B4381C003ECBA1498112042485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:29.614{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52903-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 13241300x8000000000000000676529Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:44:31.719{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\BD98497A-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_BD98497A-0000-0000-0000-100000000000.XML 13241300x8000000000000000676528Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:44:31.703{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Config SourceDWORD (0x00000001) 13241300x8000000000000000676527Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:44:31.703{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BB71F2B0-B2FD-473E-8F6A-A6267F6C421D\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BB71F2B0-B2FD-473E-8F6A-A6267F6C421D.XML 354300x8000000000000000676526Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:30.351{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51296-false10.0.1.12-8000- 23542300x8000000000000000676525Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.124{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8C1266D2FDC8792E4621B4A5AE2C8C3,SHA256=E0E1375DD4F82EB3C2154903064031D46AE59A79C28CE6B6A9A84DEF2619977F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.780{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82455198762178B02D720D33B4723896,SHA256=81E40E41159069FF713A64FA17EF73C98687BF7ABBC0CCA31CF7258E34759310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.233{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.233{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.233{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.233{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.233{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7284004C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.233{E1BD9FC2-8178-609D-3851-00000000BB01}3560928C:\Windows\system32\sihost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.077{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67874FC595512103EA8B805F8A4E6DC4,SHA256=456F6B64279E36B0FFE9112650AB17A877DFAD107103E689E1980D1FA737E561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676538Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=58264AD195383CBF4A3DDA0672444DA2,SHA256=046B8CEFA669C4449A526521527E4E9E52A1699261688D1B4E22228419DED7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676537Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E96C449A656CC5BD5DC4F0BFDAB4FD63,SHA256=32B757D41731CDD8F8015AA3B9473C8E5D9A33F29C74A6533CD9A8E8EF481EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676536Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D1EB30794E28D3A6E088B1A96810EE16,SHA256=60AF8BACA4CBD8BF3ACA6899B006195D7B1E8565B2E19DB0A53458B43C7601AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676535Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A628ABBA21082B88E178E8CE75B6FAFC,SHA256=0D76A9334818A8A143E2193D7829F5FD7157CA6E0C2DB341443B9509853EC38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676534Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=781EC0EC1803091BCA39934EC3BC5966,SHA256=BCFE1A016E455F3DEE625015EAEF57833FFC354876AF9A4BB628EA9E8D394BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676533Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=859274146D46E980D4A2E7E9C278AA93,SHA256=D4AB976161D64E490673FF79EF808B09D6926362CED4F83BB5ECF7B3A5B2C0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676532Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D316FE737E48FE0231079C2796246D7A,SHA256=DA434DA7E67803A17EFEE11284FAD144F33743FEAE62A16379FE0C8BCEE3B854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676531Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:32.272{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=BC498EA9D886DE8A918C1F3D0909ED0C,SHA256=A5BA8F6819B7C9E5171B13AEC6717A6952B3B64AFFE2C789271AE1E63F5212AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.062{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.062{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x8000000000000000578045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:32.062{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7281980C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000578056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:33.108{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC6B516D1453A16B9717046BE49F5E7,SHA256=DD1B83D0AB3E3E2FBC77A8DAC873B9D85D79196AD63F8653F0D425F24B30642C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676547Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:33.770{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36734F38E6606D40B953CAAD20E6487D,SHA256=954B4257FABB1F6B92D8F48A5370A9ADFD6D0A26004CE28896F10FCB91E1938B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676546Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.973{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51299-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000676545Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.972{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51299-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000676544Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.965{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51298-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000676543Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.965{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51298-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000676542Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.950{7B03F3B2-D0CA-609A-0D00-00000000BA01}912C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51297-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 354300x8000000000000000676541Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:31.950{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51297-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local135epmap 23542300x8000000000000000676540Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:33.071{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAAAE9AD8ECA207941C3E936CE907E82,SHA256=6EE1E0FF5AA7E3A9A1EF5DCE575FCF5A6CBED52402644CC0B24E90D144DD246C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676539Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:33.071{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546B7B2C8BE2E4CA713DC490D6BCBCC1,SHA256=FF1A633630ADB65B6D866C6D91406E102C06E451DD9968C0C9BA10B71D187CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578097Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578096Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578095Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578094Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578093Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578092Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578091Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578090Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578089Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578088Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578087Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578086Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578085Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578084Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.671{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0A93ED59203DEBD37C5E0919D56F2F16,SHA256=5AC9A4806D86D69983EF74AA410C33F30E39EA6235645B514A87B2FAB1982368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578083Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.671{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.671{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.671{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F15A67EFA2A6A651A61C4548459E2130,SHA256=DA742B0D75759021DD54202C55BE1911E24F81E5CAD45F71A0BA25768D4E2757,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.671{E1BD9FC2-81A2-609D-6451-00000000BB01}41403444C:\Windows\system32\conhost.exe{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.655{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81A2-609D-6451-00000000BB01}4140C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-81A2-609D-6251-00000000BB01}48285284C:\Windows\System32\slui.exe{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000578072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.652{E1BD9FC2-81A2-609D-6351-00000000BB01}5032C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe"C:\Windows\System32\slui.exe" 10341000x8000000000000000578071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.640{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.624{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.624{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.624{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.608{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.608{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.608{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.608{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.608{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.608{E1BD9FC2-819A-609D-5F51-00000000BB01}57045596墰ᢻ翽{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|UNKNOWN(00007FFD18BB58B0)|UNKNOWN(00007FFD18BB58B0) 154100x8000000000000000578060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.604{E1BD9FC2-81A2-609D-6251-00000000BB01}4828C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000578059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042SetValue2021-05-13 19:44:34.562{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell\open\command\(Default)cmd.exe 354300x8000000000000000578058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:31.864{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52904-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:34.124{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2858ACE40DCD66287D771BA5B03EC53,SHA256=7E9BB4176C5B8C9028FADFA27F41B1BCB3A7B7F5A781EF09FF0D2D94D17CD155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676548Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:34.101{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6E596BF3FDC87E8ABEA4E37AB76BD0,SHA256=2B1E437E901C0221C8E22F5C4D704F4C579A99E11E97F5774EE3967C2A44D22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676549Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:35.118{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8062D3D44D6B85BD78491C7DB2C1D6C,SHA256=A2E1E7622937A480181967248DFDAD0CD1F9730C086F35BCD8D43AA6001EAC74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578118Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.983{E1BD9FC2-81A3-609D-6651-00000000BB01}34485096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578117Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81A3-609D-6651-00000000BB01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578116Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578115Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578114Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578113Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578112Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-81A3-609D-6651-00000000BB01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578111Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81A3-609D-6651-00000000BB01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578110Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.843{E1BD9FC2-81A3-609D-6651-00000000BB01}3448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578109Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.624{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F91B04C46FC5B487ED32FE3E3CF0FCC7,SHA256=A7101A4938A2AC597172FE30CB7F5EF0A41A13AA59C9D94E397BF0C973AE52FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578108Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.468{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99085F07ED227A9E9C5BC6F08092075D,SHA256=FF2D4CA8ABA4AE75BCF905A6D0F78AB5A75E72178AAFCD49006980B9400E7DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578107Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.358{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CAD31CFCA38D5F1E08A67B9059017D,SHA256=7C4A811FCE4BFD6A7B91FD50108207F36C656B69178CA3739E073B0797604529,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578106Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.311{E1BD9FC2-81A3-609D-6551-00000000BB01}42085004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578105Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81A3-609D-6551-00000000BB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578104Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578103Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578102Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578101Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578100Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-81A3-609D-6551-00000000BB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578099Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.171{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81A3-609D-6551-00000000BB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578098Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.046{E1BD9FC2-81A3-609D-6551-00000000BB01}4208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000676552Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:35.386{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51300-false10.0.1.12-8000- 23542300x8000000000000000676551Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:36.202{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD6D080539D397EA7456BBE7C9E3C606,SHA256=B30090694ABC2967703E2B994E69062E28D26D522F4C0417316E815C8FA458C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676550Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:36.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE459E411237AAA63CC67B113CE3434,SHA256=4343E1B3B9784DAAA10B60669FE386936D62A0093AE7448C523F01104BA39EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578135Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.874{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1144B1FE6445A842722CC873C6EF48C,SHA256=157537FFBEC1B8030002713589A4DE94AD521025216BCB3558A48F70156FF44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578134Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.780{E1BD9FC2-81A4-609D-6751-00000000BB01}5012820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578133Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81A4-609D-6751-00000000BB01}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578132Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578131Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578130Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578129Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578128Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-81A4-609D-6751-00000000BB01}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578127Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.640{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81A4-609D-6751-00000000BB01}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578126Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.515{E1BD9FC2-81A4-609D-6751-00000000BB01}5012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000578125Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.218{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578124Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.218{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578123Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.218{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578122Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.218{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578121Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.218{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578120Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.218{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578119Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:36.171{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A713E2DFBF5237773B9FF694499F6AF4,SHA256=D48743E706F2CF06FD81C8F82F558CF98F51B2CE48AE710FAC4105DAC1A3BDB0,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000578147Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042DeleteKey2021-05-13 19:44:37.624{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell 12241200x8000000000000000578146Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042DeleteKey2021-05-13 19:44:37.624{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell\open 12241200x8000000000000000578145Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042DeleteKey2021-05-13 19:44:37.624{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell\open\command 10341000x8000000000000000578144Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81A5-609D-6851-00000000BB01}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578143Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578142Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578141Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578140Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578139Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-81A5-609D-6851-00000000BB01}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578138Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.358{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81A5-609D-6851-00000000BB01}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578137Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.235{E1BD9FC2-81A5-609D-6851-00000000BB01}4572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578136Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.186{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D53020A22F6EB1215102E51AD2C513,SHA256=08A77676EB0D32C2FCEEF12D41A0E64E348739CF48493CDAFC63BC59C37478FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676553Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:37.139{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC8D0FF76E4E3C62DFEEEBBF33C5CA70,SHA256=FC2CF0541C0740849E883A6352D3FCE087DFBEF28901147BE6E50C3AE36DEF84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578151Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:38.686{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=546872328D5C718D1BE807E1AADD391F,SHA256=FD29DA6D77F56187C333C4BCE9051AB19C10D8F34D7B4F112CF3F77AD2D96F4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578150Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:35.927{E1BD9FC2-D2BA-609A-1000-00000000BB01}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:c1a8:3628:a9d6:2a9win-host-681.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000578149Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:38.249{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9242B6BA0616C62254F6C030649BFD24,SHA256=35CA569A9CD08E3C26EC0E068CBFB619575A7D53929FB2A4B70C6FBB54F61BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578148Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:38.218{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ADCF00621DD85D35EB8ECE09B901171,SHA256=0AD3C3EAAC9098B66627DA4481143CDE9231E4609FA16CF0E1F888D96A7B6E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676554Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:38.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFD6A4AB73D1C396E890B62197ED07E,SHA256=853B19BFF7CD59BA76853642E993129663DB61B8A3AB199C64B72C67AC1A5352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578152Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:39.233{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0764FBF280D0A2DA11A991250CF4B7D,SHA256=EEFAFEE8A235BC666D724F8E020EE7AFC7ADF17A165904701D1147590DEF6410,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676558Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:39.953{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000676557Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:39.953{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676556Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:39.953{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa82fa42.TMPMD5=346300475E448CB8C87FA70FBB77957C,SHA256=6E1B0925EC7B732FAB1C67727204BF1339A3240893B5B49D14944A94705CC7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676555Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:39.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BED2200231B4F580D5A5CFCD7A4EF2,SHA256=43739E390455B78BCCA2D65D556760DCEE31E29D7BD0A3590D7E04A67009B7E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578154Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:37.708{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52905-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578153Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:40.293{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46897AAE2183BF99AD01DDFDB68EA25,SHA256=04BBF71D2EF29778FF472D807BC2936D3EC03B5725B22E34C635A0E6FCA20975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676559Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:40.200{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53EE2D7487D43F49530A9A09F9C6812F,SHA256=BCF0673E3F70EEC87C183A4F3F214E0808A3B0F71042093769AF27D7BD0AE698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578155Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:41.327{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC22CA934144B87FAE9E61A87F3F6879,SHA256=C8D3676079466DC2DE75249B502E24FD91DFE7E4235CFB82FB1853A212103C59,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676563Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:40.461{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51301-false10.0.1.12-8000- 23542300x8000000000000000676562Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:41.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320AB3CC3D860A2E7F24608D192133B2,SHA256=28EC20ABF4F052822890DA057BE7DDDF0D08593415218C7596C2FD01FBF0C01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676561Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:41.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=296F23F94C372988A957E74E351D372B,SHA256=A1C6145231DE513FF60DDB5E0D5EE3498138BF124915CA6BC5F1ACF86F4FD91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676560Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:41.217{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0CF889C299E9C8A744F1BC97556E66,SHA256=A6E892B989F6BDCD6E4B7ED200170589DA0C9284BC03CD12BB959E1FCCAD4645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578156Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:42.342{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D475FEF12CBC9C21D936872596EF1CAC,SHA256=3EE514C99E92C153BA02C07A0E6595774ECC861B8D6D051D71919AF7617764C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676565Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:42.736{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=320AB3CC3D860A2E7F24608D192133B2,SHA256=28EC20ABF4F052822890DA057BE7DDDF0D08593415218C7596C2FD01FBF0C01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676564Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:42.267{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867294C415B7F3B04A1BDD8DB6E6B4C4,SHA256=D0AEC7DB82293F8F900EE68A87EB3B159B73576BB3E2A8A8E88F185B1B9237F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578165Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:43.483{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578164Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:43.483{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000578163Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:43.483{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000578162Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:43.467{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ECF03A32-103D-11D2-854D-006008059367} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000578161Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:43.452{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000578160Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:43.452{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} {00000122-0000-0000-C000-000000000046} 0xFFFFBinary Data 13241300x8000000000000000578159Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:43.389{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{B298D29A-A6ED-11DE-BA8C-A68E55D89593} {000214E4-0000-0000-C000-000000000046} 0xFFFFBinary Data 23542300x8000000000000000578158Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:43.389{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFBE961B719458BCFBC7B1EE8894BB4,SHA256=FD854447C35AE53419EC19616CF64AD7009D8F82180F852BBCA61A5A9C54B655,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676566Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:43.282{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA58DBF63CBD6D6AAD45F4AE7569542,SHA256=FB55B58B22C1A26C698102C7F0BDB238C8D760A489C92A641AE64535D3928129,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578157Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:44:43.374{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXEHKU\S-1-5-21-3056260599-3525860832-1735521891-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFFBinary Data 23542300x8000000000000000578168Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:44.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F5D1ABFC7E9472061363E428CB4BD4F,SHA256=69B3871D05C65EAB207673E49E00BDF1ABC869FB5FCFCFE2A89C5C1B8B01477C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676575Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81AC-609D-6656-00000000BA01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676574Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676573Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676572Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676571Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676570Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-81AC-609D-6656-00000000BA01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676569Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.964{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81AC-609D-6656-00000000BA01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676568Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.965{7B03F3B2-81AC-609D-6656-00000000BA01}7764C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676567Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:44.296{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3ED945CA2D108E039F7175FF3F44C65,SHA256=13001F5A0C9FC872E8FC890967DC7698952BB93B2970E6345B510C2F92EE454D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578167Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:44.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CE806A2C7FE6E2B7513E2146BC4FF9,SHA256=4EE43350887D3F5ABFB21EB252F8470258B8F2EA82DAD6423E2780EB0E7E9556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578166Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:44.295{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB7200130792A26AB3A939143765D9D4,SHA256=5206F324D2A215AA7E2C9CAABE3337CB5CAFF168045FA088B7126F3DE83FBC45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578207Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578206Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578205Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578204Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578203Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578202Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578201Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.795{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578200Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.717{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81AD-609D-6A51-00000000BB01}5972C:\Program Files\Notepad++\updater\gup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578199Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.717{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81AD-609D-6A51-00000000BB01}5972C:\Program Files\Notepad++\updater\gup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578198Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.686{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578197Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.686{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578196Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578195Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578194Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578193Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.686{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578192Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.608{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578191Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.592{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81AD-609D-6A51-00000000BB01}5972C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578190Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578189Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578188Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578187Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.592{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578186Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.592{E1BD9FC2-81AD-609D-6951-00000000BB01}35296C:\Program Files\Notepad++\notepad++.exe{E1BD9FC2-81AD-609D-6A51-00000000BB01}5972C:\Program Files\Notepad++\updater\gup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\SHELL32.dll+3cd0f|C:\Windows\System32\SHELL32.dll+3cb9c|C:\Windows\System32\SHELL32.dll+3c8ec|C:\Windows\System32\SHELL32.dll+e2187|C:\Windows\System32\SHELL32.dll+e20e5|C:\Windows\System32\SHELL32.dll+13bf2b|C:\Program Files\Notepad++\notepad++.exe+103989|C:\Program Files\Notepad++\notepad++.exe+151841|C:\Program Files\Notepad++\notepad++.exe+182086|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578185Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.582{E1BD9FC2-81AD-609D-6A51-00000000BB01}5972C:\Program Files\Notepad++\updater\GUP.exe5.13WinGup for Notepad++WinGup for Notepad++Don HO don.h@free.frgup.exe"C:\Program Files\Notepad++\updater\gup.exe" -v7.95 -px64C:\Program Files\Notepad++\updater\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=EA20C0550A753BF194FA02A52A0CB932,SHA256=70FF333305CE2C4FBD5C583B3158A2A083D784C0F8A3D2AE09D55568E19BCD7E,IMPHASH=0AC02220E25075D21D6FCE74AEF267AF{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\Desktop\slui.ps1" 10341000x8000000000000000578184Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.577{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578183Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.577{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578182Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.561{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578181Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.561{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123680C:\Windows\system32\svchost.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578180Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.561{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578179Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.483{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=3940BCDAF9482D163EBD5C5AC45B4629,SHA256=30A9C10C557DC8190F2C3BDB6CF49B876949FE8B9D40CB0C918D999EAC41DA92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578178Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:43.056{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52907-false72.21.91.29-80http 354300x8000000000000000578177Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:42.770{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52906-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000578176Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.436{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578175Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.436{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578174Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.436{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578173Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.436{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578172Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.436{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578171Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.436{E1BD9FC2-8179-609D-4251-00000000BB01}39324084C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80287|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+17c79c|C:\Windows\System32\SHELL32.dll+19ea68|C:\Windows\System32\SHELL32.dll+2845a3|C:\Windows\System32\SHELL32.dll+44572f|C:\Windows\System32\SHELL32.dll+17ca40|C:\Windows\System32\SHELL32.dll+179ebe|C:\Windows\System32\SHELL32.dll+736e1|C:\Windows\System32\SHELL32.dll+765c6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\System32\SHELL32.dll+7ade1|C:\Windows\System32\SHELL32.dll+7b863|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58612 154100x8000000000000000578170Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.399{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe7.95Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\Administrator\Desktop\slui.ps1"C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=45833E3CFFD3716546665DCE0C343F2E,SHA256=5AEC02154C9A23F5D77B11853691449063AA0EF3988C4EB30048DEBBCEC8B947,IMPHASH=DE4B8987D5ADB218127887FA4130E9E8{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000578169Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760621B07DEEEDBF3FFCBB360A8256F9,SHA256=817ECCF5206AA34C717CFAE1F8C396AEBB32F423BC740B0462BE1E9A40A07633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676585Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.994{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B311248904AAEF569FC80099E028F23,SHA256=8F5AEC813830DDBED693C17F2F3E522E24A62FFD1303BDF6F632374127810E10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676584Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81AD-609D-6756-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676583Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676582Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676581Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676580Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676579Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81AD-609D-6756-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676578Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.479{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81AD-609D-6756-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676577Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.480{7B03F3B2-81AD-609D-6756-00000000BA01}5280C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676576Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.332{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BDDA419BB25D244E304E662C846335,SHA256=C8CF2A9F8E3EABC34E6A2B5FB8D61BC7D1F62D91203FD52A64B1B33C1465FC96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676596Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:45.891{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal65065- 10341000x8000000000000000676595Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.394{7B03F3B2-81AE-609D-6856-00000000BA01}48127592C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676594Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.347{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9068C3E93179CFED9FD1D0B480337CBD,SHA256=9DE2764353C035D3AD0DA7C8E8BF279F4CC6957C0CEF90989893A18602DD56EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578211Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:46.801{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7D6C227C17DACACD288FD8BF95734602,SHA256=5755D88EDAACC6B344C4FAC0B133BCAA330D53C0FCF0D0680DCFC0AE0FF2D487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578210Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:46.801{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE7120F690CF0BB480E5C494B01FD02,SHA256=198C346BBACC019E98019D4C6AFAB3501848A2893692131CCE981A41F5098F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578209Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:46.801{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9BC5C7171AD3B776ED7DA21E4AC05A6C,SHA256=01D57A9F6F8CDA34432F33CDA33D17DE0AD18BF6ECBB6DCBB5597A9A09DB7BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578208Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:46.405{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00CE806A2C7FE6E2B7513E2146BC4FF9,SHA256=4EE43350887D3F5ABFB21EB252F8470258B8F2EA82DAD6423E2780EB0E7E9556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676593Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81AE-609D-6856-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676592Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676591Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676590Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676589Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676588Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81AE-609D-6856-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676587Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.163{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81AE-609D-6856-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676586Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.164{7B03F3B2-81AE-609D-6856-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000676617Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.961{7B03F3B2-81AF-609D-6A56-00000000BA01}45447236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000676616Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:46.457{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51302-false10.0.1.12-8000- 10341000x8000000000000000676615Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81AF-609D-6A56-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676614Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676613Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676612Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676611Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81AF-609D-6A56-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676610Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676609Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.776{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81AF-609D-6A56-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676608Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.778{7B03F3B2-81AF-609D-6A56-00000000BA01}4544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676607Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.361{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2CB9EE02D802481F0E09E1B9D83D15,SHA256=3CB9274E8715A427C975D6C1CBE7654C402F4ED7659C9B465063E62A94899F4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578212Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:47.410{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B97E9B6D71FF97CEBA179F35740EE7,SHA256=AD10D346D4A7C2D5156350A5808494579602A1C3480BFFA83BFCD1E29576C40D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676606Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.261{7B03F3B2-81AF-609D-6956-00000000BA01}81366872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676605Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.193{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D793915558B8B7FD4C8016CB142A3E5,SHA256=9C0C89CDB6544C63C39984332BF2642F41B850C7ED05AE302DFF3C630E65BFE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676604Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.113{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81AF-609D-6956-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676603Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.111{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676602Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.111{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676601Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.110{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676600Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.110{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676599Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.110{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-81AF-609D-6956-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676598Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.110{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81AF-609D-6956-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676597Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.109{7B03F3B2-81AF-609D-6956-00000000BA01}8136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x8000000000000000578216Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.320{00000000-0000-0000-0000-000000000000}5972notepad-plus-plus.org0::ffff:104.21.26.128;::ffff:172.67.136.69;<unknown process> 23542300x8000000000000000578215Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:48.629{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=260EC77E52DE87CC92C7C2DA5455DA57,SHA256=C2D8AAC8D0F253B088204BD1AFFDEAEF3A255811E892AFD1AD1349FF6D150C2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578214Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:45.341{00000000-0000-0000-0000-000000000000}5972<unknown process>-tcptruefalse10.0.1.15win-host-681.attackrange.local52908-false104.21.26.128-443https 23542300x8000000000000000578213Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:48.426{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20973FC3C2178C43305AE7169609D6A,SHA256=69C532FD16E019FD7C9845FDB6C2BB017211509CCBE8C5DF4C014B87FD83475C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676620Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:47.848{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal53726- 23542300x8000000000000000676619Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:48.376{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B11D9E062017E05A5DBA2CD5C88672E,SHA256=F3606A73535D301425F0C7BDEAD7E9D8E373C7DFE1A6CF261F21AF7F75319BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676618Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:48.292{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=968240B6A71133C8CADFECA53B6B9596,SHA256=CCD6CF353CA0B413304FE99CFA5562307B4BCD2DBF4E4BCAECDDE597CE1827BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578218Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:47.791{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52909-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578217Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:49.457{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A90E7F3681011DE58405E584E1D03CC,SHA256=5628AAB86F859AB967C7CEA209AF1CC11EA7FF8892FD4723F08AD31F4E51B8A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676621Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:49.391{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F0F60701A2EBC55D03381E1800CC52,SHA256=C0E9CBEA37FC3C1847CB9AF15EA6541AFE43A05F1BE8886D2D3D515D2F304A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578225Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.848{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578224Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.848{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578223Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.848{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578222Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.848{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578221Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.848{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578220Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.848{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578219Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:50.457{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BC9DA16C327809B7E2FB6AC3ECFB1D,SHA256=705C7B75FC6EBC3B5B7264305249D4160AD5BFD8DCE7C4F45A79A95516A9C944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676631Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.911{7B03F3B2-81B2-609D-6B56-00000000BA01}20405400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676630Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81B2-609D-6B56-00000000BA01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676629Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676628Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676627Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676626Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676625Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81B2-609D-6B56-00000000BA01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676624Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.727{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81B2-609D-6B56-00000000BA01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676623Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.728{7B03F3B2-81B2-609D-6B56-00000000BA01}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676622Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:50.407{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD10ABF61F0A6D8E3A4F9AF038CA05D0,SHA256=B8779F5919E1D074094D069E9B6A69963C2980964F616CD8B5304215DC7DDB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578226Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:51.473{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850F5E7BEA65B9B2A5351AA2123B4706,SHA256=70C22BEFC6E6DEBC020860DEF3D06CFCD514AF64D6F3D04482F08D085088DAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676641Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.741{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62AB7848DB262762F8314ECAE1E50226,SHA256=494BD8B137257225BD5D6F8468F5AB700CF6E1631DBB69DDD41FFE06A1838FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676640Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.426{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD40F192C71128B04522CCACA59D0CE,SHA256=4CB646916339EC740742E485A5E3FCCAE16ABB4570EE4D9498AB6D43A0380FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676639Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.408{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81B3-609D-6C56-00000000BA01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676638Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.406{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676637Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.406{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676636Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.406{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676635Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.406{7B03F3B2-D0CA-609A-0C00-00000000BA01}856676C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676634Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.406{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81B3-609D-6C56-00000000BA01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676633Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.405{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81B3-609D-6C56-00000000BA01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676632Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.405{7B03F3B2-81B3-609D-6C56-00000000BA01}6356C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578228Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:52.926{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=776F1C39837774A2EA668426E4B732FA,SHA256=B5690EA7AAAD58F2FAD4378812DFE34B5142D06159676452642F1CC5CA88FA31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578227Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:52.488{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B12C72CE3857FBA1F7D52176329F5F7,SHA256=2A9AE2FECF52E5548D6DEDDE2698F6FA692D000CF7FD07AE5FA6B19F18F35E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676642Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:52.441{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605A2BDE604BBA6B313ABBF3D7155F0A,SHA256=A10BB7E61CD14D270CD425F543BB5A856FC68F2E8111A15C3B389AE53DABBB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676645Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:53.623{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4F0FA2A3F9600AD88BCE9E4A723DFB5C,SHA256=C810896540ABAB3671F2777C725F1111CAA70EEE2FBC06A4F9AEEC8CA5005CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676644Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:53.504{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA781978C8923AE642EAD07655D6D3C0,SHA256=60978B40F4348CBFAA622A4527291800E9B720BEEBE89608AAC0FD7F4B5FA14E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578229Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:53.488{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F77F0566DE8A117B8622C5E1BD34DA9,SHA256=128B840634FF7CD54DB1627C6019CCE533140808CFC51E8AB0C91A3D4F732441,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676643Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:51.487{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51303-false10.0.1.12-8000- 10341000x8000000000000000578271Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578270Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578269Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578268Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578267Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578266Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578265Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578264Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.879{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578263Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-8179-609D-4251-00000000BB01}39325492C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578262Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578261Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578260Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578259Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578258Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578257Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578256Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-81B6-609D-6D51-00000000BB01}53526104C:\Windows\system32\conhost.exe{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578255Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=63A532C8961C8D642C58C3DC14ECC3FE,SHA256=1CA17BB4F71807B250310D46D157D218A8AA4B728014A69AE726EA4F394DBF9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578254Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.863{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0A93ED59203DEBD37C5E0919D56F2F16,SHA256=5AC9A4806D86D69983EF74AA410C33F30E39EA6235645B514A87B2FAB1982368,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578253Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81B6-609D-6D51-00000000BB01}5352C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578252Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578251Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578250Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578249Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578248Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578247Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-81B6-609D-6B51-00000000BB01}60045996C:\Windows\System32\slui.exe{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000578246Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.851{E1BD9FC2-81B6-609D-6C51-00000000BB01}6140C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe"C:\Windows\System32\slui.exe" 10341000x8000000000000000578245Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578244Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.848{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578243Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.832{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578242Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.817{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578241Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.817{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578240Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.723{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578239Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.723{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578238Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.723{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578237Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.723{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578236Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.723{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578235Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.723{E1BD9FC2-819A-609D-5F51-00000000BB01}57045596-{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+a8ff9700|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+a8ff9700 154100x8000000000000000578234Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.732{E1BD9FC2-81B6-609D-6B51-00000000BB01}6004C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 13241300x8000000000000000578233Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042SetValue2021-05-13 19:44:54.723{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell\open\command\(Default)cmd.exe 23542300x8000000000000000578232Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.520{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C9287ECA16D888A9FBDFC0234C13F7,SHA256=1FDCAE17FE24CB8BC38EAFC4598FB01233125388D7D9774B8F58252CDFB620E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676646Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:54.539{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A37F83ABC2F584ADA41F66070F5E5E2,SHA256=460CDA23B9E1CA25EE4D0F2F6280BF2C3CBFF1586ABDF5AADABBFAC1E553F416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578231Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34F9167986E2396B112BC1D9CD46C861,SHA256=8D23241BC0932B7BF187F3025332D6EB5CA9960E51FE04FB5F92F147ED5A6DA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578230Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:54.192{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E64CF21116256F092D7AF288E7A2866,SHA256=7C557F07173B921F4EDA12A11C15E70129BA3CCBD85A24070B5D08CA21D50723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676647Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:55.569{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3954AB79BC115598FCBD335531A7B548,SHA256=74048A1B55B226D76F2C8C629003D891C208E29C4CCF326772AB70A1ACECF8B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578274Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:55.629{E1BD9FC2-8178-609D-3751-00000000BB01}3328WIN-HOST-681\AdministratorC:\Windows\System32\RuntimeBroker.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.dbMD5=2C884BCDE695C43D98B96A3B6B68A04D,SHA256=3431EEC41B6B3A7D65FBA803D5D670D82D56DCE3840329C2456E6BADF6FFA34E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578273Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:55.067{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1600-00000000BB01}1212C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000578272Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:52.806{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52910-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000676649Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:56.584{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BF4A54C6F92F2D0794BEAD4AD938D1E,SHA256=F4E92AAA2C6881C7E726317C59834FD8DC972E2C4AF4C8969F3263D0103FFB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578295Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.645{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B1080BC82E8F35CD2525ED15DFDB080,SHA256=0CA987059A2F86FD8C850BA101B08E51B17A38890BDA2695AC7D5FA09CB2CF86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676648Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:56.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-804F-609D-3456-00000000BA01}4432C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578294Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.426{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578293Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.426{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578292Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.363{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578291Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.301{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578290Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.301{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578289Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.301{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578288Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.301{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578287Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.301{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578286Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.301{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578285Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.270{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578284Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.176{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578283Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.176{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578282Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.176{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578281Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.176{E1BD9FC2-D2B9-609A-0C00-00000000BB01}7283728C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578280Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.176{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578279Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.176{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578278Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.179{E1BD9FC2-81B8-609D-6E51-00000000BB01}5840C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000578277Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80E204533065D157CC83C7AC1877ECB0,SHA256=DF9AABEE45886BC1C1000698D0E6ED811119D5CA00806235AC832095A808D5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578276Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EC1CC3AED7BA4197D9D7DE086E67A42F,SHA256=BF9FECA7B55892408D854F1609973A9DC87C659E11D19E002614ED6C8F52AD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578275Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:56.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34F9167986E2396B112BC1D9CD46C861,SHA256=8D23241BC0932B7BF187F3025332D6EB5CA9960E51FE04FB5F92F147ED5A6DA4,IMPHASH=00000000000000000000000000000000falsetrue 12241200x8000000000000000578300Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042DeleteKey2021-05-13 19:44:57.738{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell 12241200x8000000000000000578299Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042DeleteKey2021-05-13 19:44:57.738{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell\open 12241200x8000000000000000578298Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042DeleteKey2021-05-13 19:44:57.738{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\exefile\shell\open\command 23542300x8000000000000000578297Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:57.676{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6015185FCCDD80D7F115E6DDC07439B,SHA256=4E2F363A9346EE6C680535B3BD5A80E673FE6062EA60DDD73874136A4824BC92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676651Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:57.920{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676650Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:57.601{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C3F673528E5D30E850C94A8FB697FE,SHA256=663BD48A7565CAB40BC80D1FB7468E5960B1DD669582A367E12C890070DCE4DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578296Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:57.285{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66B35774BA06192B41D9BD5107C228BE,SHA256=ADC2CB8E42542C4A4D2FE199C3FCB570EA14824F3270919A9AF5F0C35441BF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578303Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:58.738{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7509E8B20EE4457D9A010F4667E769B8,SHA256=5B69ECB19B8D6598DE7B96EF87F47AA490CF069C97840798486414FAE475B3F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676654Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:58.619{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095A8F9C5EE0B90FE7200A90A2D4B5AF,SHA256=12EAFC05FD0690751BC47EF8C4FE25A6441F2426963B764496261591FA9169BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578302Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:58.629{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=042E93C8C8A8BD284C8BBE5148704C06,SHA256=D580C98940459DCB4652353A1AD7DD25379809CDED61DE6126531766FA38FC1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578301Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:58.582{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7D8A2AEBBB6C5439BF7DDD9F1CD44A70,SHA256=294D24469421ACFF9BC33FCB4563BAE40C1629CEF3E2F837E433ABEB3BC525A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676653Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:58.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C841071C58B50264296D983D79A49CA,SHA256=BFE89322F976FEB93213F22422CD0B483FD29BA55A3F24C5F68705DF580AD3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676652Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:58.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E0A295A9A4F39CE886AAC84E3F16ACA,SHA256=C3D4635A1E4F3ABEE98E94F2B81F78B292A3C2FA8431086BA779AD41A51BAEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578306Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:59.738{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81EE47086F6BFE71D28B90F0D4C3C9C4,SHA256=6FC6C7C499D8D2177EAD60E5FC5417E7EF23B3200BA695108BA8CA39DB185314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676656Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:59.650{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E549BE3AF6BF9BCC25153C0AB71BCB,SHA256=54CE613C622A3F27160C40EC233034B92FDC8C0C3807751CEA8AAA4B0857791C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578305Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:59.660{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADB9F2C171E72735AD164E6795B446D,SHA256=5FE589BA7FDBC7ACC3137FA2F20C15BD2984F616B9BD0AA6538EABDB37CD8571,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578304Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:57.282{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\explorer.exeWIN-HOST-681\Administratortcptruefalse10.0.1.15win-host-681.attackrange.local52911-false52.242.211.89-443https 354300x8000000000000000676655Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:44:57.266{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51304-false10.0.1.12-8000- 23542300x8000000000000000676657Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:00.680{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576E683DF52CBC8E2B70717032D77D06,SHA256=DF6CE03C3F2AE0D23C43238F0CA7B4FAE395DFD229CF3AE9F1482C5E84D91DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578308Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:00.770{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D774D3D39A471E255E971D9F606FA0,SHA256=B035A20BEB71AB7F4492A3A3D759DFDB4721F759831B4720C5DDB5AE24A909B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578307Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:44:57.822{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52912-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000676658Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:01.699{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3890476A12B0545094DECBA3BFAD120,SHA256=31B748CA21B03AD080F2EC182843664389A1E998C63EF1E74CDAF6800A046306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578310Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:01.832{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDED0298D850E7EB47C726725A7DABA5,SHA256=DADEA92CD7EE5E3B92AA34F57046663B612459271C5AF7884EDAFD7192EE50CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578309Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:01.816{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F075F59647E8CFC376DB3851414F4225,SHA256=08E8B97B8EBB581C835E1067297621586AC254A2F40364CEB9E9DBD39CA61427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578312Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:02.879{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E0442334E19C88E76F57407CB9BC224,SHA256=281B04E36DBF7286540277B783B7BF5E55C56F36EE37E7357EECAD716024101B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578311Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:02.863{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0F068C303B68CDFBC3B1407E1EEC16,SHA256=96F103FB46C1E38792CD57F716960B99451FF6BE54BBCE5BE738A58101AD8471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676660Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:02.731{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C841071C58B50264296D983D79A49CA,SHA256=BFE89322F976FEB93213F22422CD0B483FD29BA55A3F24C5F68705DF580AD3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676659Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:02.731{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F7C714ADEF6ED3DA6FBAC011329CD1,SHA256=4DFAB4E272A5ACC9CE82CE2F349F12DE5838ADFBBDC20861B0A8B2FCE00CAFDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578313Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:03.879{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1744EFCD72B0835578166689E1AE4F1,SHA256=74C0506ACF2E48EFEE0E2444B06173762BFA31FB8FBE63390DF8C427F6970688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676661Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:03.761{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E360583E4046AB0BB37DE7159AA5B8F,SHA256=A9D46A1313D4EC38550AC29D1E7D2367A4B3DB8098B1AA88B26445B2C7EC0C25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676663Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:04.766{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F4B8E829FCEA113D9409589149ED27,SHA256=9BE4075E89F31C36C0F3F0733FF2E1646B30A840898014256DDF38643E6EBA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578314Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:04.910{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D6DC212B6C65C1906964502708E0F4,SHA256=1179DBC8F642B0BAEC5F5660A70878308FB9A179011455A7B48DC1392BFC467B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676662Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:02.493{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51305-false10.0.1.12-8000- 23542300x8000000000000000578317Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:05.911{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0B26919E4BC14261C2C12DB6617E17,SHA256=4232EFF65FBDB73250A198DCD8914B47E051057B1EF2215CD74890ED53F8459C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676664Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:05.782{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E284011D0F2CACA7D10C0B387F570BEE,SHA256=A7B3238B1B0360104F980763AF84CE24476A4A0C90C8BB0F3C4C068BDD91D2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578316Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:05.395{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C5101109A5C67B1DD2F2409192D565B,SHA256=C31D0F0FDD685CF8B3D84F3E195EE002A5AD7D5B2BCDBC529EB6C5CE332A769D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578315Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:05.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5152564E6A4A7B738600883281395D6,SHA256=8B53F83353F28B5F84F5D0D018407C7B070CD11358E40826322BA4DFC1CB380B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578319Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:06.931{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AEB43A1A184532D77884BD516A39FF9,SHA256=D74D3ECC17FCCC4308B81878FEA54F891D100A3FE19F0F13903CE21633B390D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676665Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:06.798{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E134F51DDCE5CEC7BBD3BAB391D7558B,SHA256=3E9AA3153D0C8483D3DFCD17D9C3A7BFF09303E28B1FBE9AC237655697D61CE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578318Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:03.806{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52913-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578320Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:07.946{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E6FC55BF5DE2625E0F17CEE54A8CBC,SHA256=3ECE8B138007812116B82651915C6535020C1FF374A8C0A4F9F1833C80CA5FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676667Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:07.804{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD7285603B5B17606E6D2B5874862C6C,SHA256=0D32D569AED82B9CE82734A4D7DF3DF6D24710995DEB15E37C096656C27F2F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676666Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:07.723{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89FCDF6AD4A98E5F098AC6E75D80D4A7,SHA256=A607D44C0CFADB629133D37D39C2AF0256FDD8D14C730AEB93C772C69E4DC636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676668Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:08.838{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C41D8672AF97C18DF5E0745D917C25B,SHA256=3149CA559B98EFEC86EAD0A065CA3C3BA065CDA2B38CF459A9E14E488B267240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578328Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.993{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578327Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.993{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578326Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.993{E1BD9FC2-8179-609D-4251-00000000BB01}39324324C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578325Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.978{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578324Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.978{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578323Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.978{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578322Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.978{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578321Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:08.962{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CEE83E92C75DF8292E66AD3A52A2D82,SHA256=FAD7D2566EF656E1495B1DB3418CCA03D9523FAB5E8CD434D09AA0812EFB2F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578330Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:09.993{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99FF03C7858554FD393D6A6FC2985315,SHA256=008809D9334D3A9F401C68A7D76E9AD08C3C4339F24FDE806ECD5158D4498B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676671Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:09.854{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20720700D9F25323561FC23F7B7DB7AF,SHA256=DF235661969494065D3A0A90F2F7CFB30770E7A1959C116B78BB105D15CFDBDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676670Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:08.384{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51306-false10.0.1.12-8000- 23542300x8000000000000000676669Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:09.154{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449FF99993419038B2EDF6F6B2F745A9,SHA256=5F3D1A6B6545D4E9340B5010B706B37C48144FBE6B7E3430AAF2A1E92EF3F4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578329Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:09.540{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ACB6085544059655BE3373A9FB2F4D2D,SHA256=5CD6ECC310307E443D34C7EABC86BBF6035D142E949E5B70BF830B796EE9278C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578331Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:10.993{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9242619A82C71D85483500A2F116925B,SHA256=2BAED3CFFC4B4EEDA95778214A68281A8D5EFC1431B714CE07D03F2CB48DFDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676672Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:10.870{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C112CE86D194B57A6B9A5904C3165FC,SHA256=B42F01DDC0462B637E9DCBB92B6B67138D7DBC57EEC6FD8DD8A71286D3C0E8DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676673Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:11.884{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4279436FAD199BF6EB77C71C7AEE5E,SHA256=8C84999ED50AD986BA12285A8E575697CE979E45C85959FEC88506899FA473DE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578335Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:11.868{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74830-0x7cb68e0b) 354300x8000000000000000578334Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:09.670{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52914-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578333Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:11.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84AA7DBEF7575E79A5D4EAAA2E3224AA,SHA256=3CA81E57975E679A5BF8366F04958D373C6A0533D10016B17521C94E8CCCBF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578332Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:11.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01F18365859D87DB96868CCF57BE54E5,SHA256=3E5691D7AD18813378D5C1A4C722695ADCDEFDE30D23D10B273B5271C79C49A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676675Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:12.905{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09A7E35B2021D87B23C9B2EFD4DA9F8D,SHA256=FEF2F1F2E2B68DF6218D2AC3742FABBB6833695ED84472E0A27D50641016876C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676674Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:12.905{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E9CBD4ABA3488450D55A34CA8863A7,SHA256=A44D49CD5AFEAD583D2C6F753FDFDE196C3E67C74579341E0DA18D5C0754B879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578337Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:12.931{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84AA7DBEF7575E79A5D4EAAA2E3224AA,SHA256=3CA81E57975E679A5BF8366F04958D373C6A0533D10016B17521C94E8CCCBF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578336Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:12.024{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BAAFA289ED3941BDB74836599C38D4,SHA256=ADA99863F7AAC3E5B0FAD3087215A75515C1FE5EEA3067834AACB9DB3A0B3E9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676677Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:13.922{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B468396BE29E6BCF1958EB51A417E7,SHA256=F712F5A2B8195ED6F8D4E9D19A80354330E35756AF0F57F7D8C677E558C5B4FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676676Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:12.102{7B03F3B2-D0CA-609A-1200-00000000BA01}388C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-18.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 354300x8000000000000000578340Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:11.483{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse13.86.101.172-123ntp 354300x8000000000000000578339Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:11.483{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x8000000000000000578338Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:13.024{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3963095AA247677EFBD877BCFDFD7E4,SHA256=372E7E1866EA5D43B972FCF7FCF32E53ED7AC6A0FAE0A9B3AC8232584D8DB3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676681Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:14.937{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EC480B4F6EC583E138E0D9F2268326,SHA256=25E944BB15EFF5A0440CF76C4C7D3174F763F8567388E935051EA827AD273AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676680Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:13.249{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51579- 354300x8000000000000000676679Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:13.246{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local59599- 23542300x8000000000000000676678Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:14.007{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1B7458CB482151781A74BC85C026266,SHA256=81425280C9CBE0882EA5DB1F18082BA428C0044A8AAF9AB8021A18431BE61A09,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578342Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042SetValue2021-05-13 19:45:14.290{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\Launcher.SystemSettings\shell\Open\Command\(Default)cmd.exe 23542300x8000000000000000578341Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:14.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B1CE23F372D1F156A9FC83BCF00BB9C,SHA256=905B03CDB11586FF43A7ACA696348380A0D0461323EA6570C18975DB4838E004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676684Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:15.952{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79005B21179D7AB0D93C351814D87B8,SHA256=FCA0C9D5C8DB4F09E3E784B9D1AE2ACFC2E9FD99F40A7EFCD8CBCA94C35E13C7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578344Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.localT1042SetValue2021-05-13 19:45:15.306{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\Launcher.SystemSettings\shell\Open\Command\DelegateExecute(Empty) 23542300x8000000000000000578343Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:15.040{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A282FBFD64924CA34D3E29CE93A9CCD,SHA256=1A3090202B531C1269E405F3C5552E33ED6786748157F99002BBD9966D5E5589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676683Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:14.383{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51307-false10.0.1.12-8000- 23542300x8000000000000000676682Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:15.168{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1085650D1F4849D302CBC5FF18960AE4,SHA256=CEBA8397B26F913BAEE8CA52F066B45D2ADD4102CCFD8807E5A5FED8F4531324,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676714Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676713Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676712Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676711Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676710Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676709Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676708Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676707Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676706Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676705Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676704Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676703Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.101{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676702Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676701Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676700Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676699Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676698Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676697Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676696Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676695Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676694Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676693Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676692Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676691Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676690Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676689Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.100{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676688Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.099{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676687Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.099{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676686Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.099{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676685Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:16.099{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000578347Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:14.749{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52915-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578346Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:16.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AF0431A499AACAF3D1C1A64F155D8E,SHA256=A147125014791DEB1CA2843029CCA75C45D92CF0ABB4C21154DCC2B032537B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578345Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:16.056{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0771A20883C9F46EF690D4CEF18F9DC1,SHA256=FF4D3F8EB88D8E44DBCC8C6B51624C24927623CBF98E6775D9285B5F2ADACFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676715Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:17.135{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=342AB03BE52F87E635DDEC1B4BDEF844,SHA256=59E9F9BE5645241653E4A038CE32C836D3581727B925FC9763AD8E75E032B921,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578348Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:17.071{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BE6BEA480451C7646D3BC9D3319727,SHA256=5D777202F92874A22272DEA07FC64747B2F2A87AF1E689549360EB6223AAB53B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578349Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:18.087{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCFB8E4535986920EC6BDF5EF520DB02,SHA256=B7B1264E47ED2F331066C513161E152E674999FDD7266366E5AB81A75BBEAD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676716Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:18.150{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3C2184315C2C368E0C6BFD94805EEC0,SHA256=38396300CC828015E1DE72639AB29860FE67C596E93E65274366F7A935A31760,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578351Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:19.337{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\PintoStartScreen\(Default){470C0EBD-5D73-4d58-9CED-E91E22E23282} 23542300x8000000000000000578350Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:19.103{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999D3FF6C62B20334599453CC03C9F94,SHA256=30F39ADB1539CC3555A0AC985110EE7A742E3D292ED52F63727D49D401B722A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676717Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:19.165{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F597723E4FA1957DB243C6AC2C6DD8DC,SHA256=F6F3F7E7DEB86331C5A0DE9A86301A961FAEC90FD28AD4353C87CA633DB7C227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578352Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:20.118{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9EFE7B4AECCEADDF0C145EE8A847E68,SHA256=F86AB9CEC84F8C12E3D1864FFA8219FD68B95746CC00CFD9162DD6D5AF00567D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676720Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:19.394{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51308-false10.0.1.12-8000- 23542300x8000000000000000676719Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:20.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0CF594DB3D13ADB9C637F3C73F9C6E,SHA256=38E0F8CF9B7EEFE13FE0BC16B54CE97FDDD16E206EFD15D1D65BABF2A5A0A7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676718Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:20.163{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAE799FB73434B9AB465B022D935F89C,SHA256=95C8A25E03E2E1D0C314F7F93CF6A6687D5646D03B9853ED1E678539B8607A85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578362Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.977{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578361Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.977{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578360Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.977{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578359Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.977{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578358Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.977{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578357Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.977{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x8000000000000000578356Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:21.352{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3056260599-3525860832-1735521891-500_Classes\Launcher.SystemSettings\shellex\ContextMenuHandlers\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\(Default)Taskband Pin 23542300x8000000000000000578355Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDCD686AA418BAD94F0793EA99E2952A,SHA256=329A39D0C4C3265D5008FC53CEF4E2D34AFDA7A33464434279B9187D94395435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578354Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=187B6C385FC9C4243C6BA065FC156585,SHA256=0FA735B8C336679D29515524F18D9B0EA146630CAD226BC601F7BBAF25251635,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578353Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:21.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB82EB271B9189F3281504CC97258A3,SHA256=6B6334CA5A857EE9E343CE12121CE999DCD334267266E8B98F9B62AD8879C609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676721Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:21.216{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D570FA46EBD430FF6D128D6EBB8EE7,SHA256=FBEBB0F0E04177B7DF2765D8C9ABA8A2F57AF46F577C6429EEF9AE0DCECA4E3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676723Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:22.733{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FD42BFB708D47DE4A304694716EEEF4,SHA256=8FFE7C716D7137C1DD694CA7F11A6A7CA95471AC4FE789E8C81319F18A0E1F33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676722Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:22.218{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A14AE8EA886584034C48A6DE3337253,SHA256=2A23D72564A10CA4FECD328D57BF68BD9016D7CDD5A08B772EA7E3C14C6304B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578364Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:19.780{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52916-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578363Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:22.134{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA38A808E0CBA6C83DD9BB02F84A750,SHA256=F2BDB4905FD41110C2E6EA1BC3F7A27CC02F867AD8D62DBB260B92AAF115FA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578366Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:23.431{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDCD686AA418BAD94F0793EA99E2952A,SHA256=329A39D0C4C3265D5008FC53CEF4E2D34AFDA7A33464434279B9187D94395435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578365Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:23.149{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227BA3C9F87811FA94FAE8F1D2D9DB94,SHA256=01B3657549A6AE8188BA3765AF5B81A3FBB4B393BAE3234A02F95C76A92247E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676724Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:23.233{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75C2128D8B08348CC9D055B0A17607F3,SHA256=8689893842A7F88FB89BBE514C3A48C833BF154920B8E17B5C0B0AFE177A41FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676725Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:24.247{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FE9D1C96ACB39F161CD7D71705D3D7,SHA256=5796006AFD03635B52048A4F1177A0BCE16D8B7D7E95433999BBBD8E85B9A773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578420Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.743{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578419Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.743{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000578418Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.727{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826205F3F2425D31E7FD7ABB1C926059,SHA256=5574E0071138D3C5B08574AF9F713C920B77F5AB90F34BDD26B4928CE27F6976,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578417Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.696{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578416Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.696{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578415Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.696{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578414Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.696{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578413Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578412Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578411Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578410Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578409Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578408Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578407Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.681{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578406Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.665{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578405Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.649{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578404Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.649{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578403Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.462{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578402Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.462{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578401Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.462{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3951351392CC10F11B545827D7C7C8F4,SHA256=E9A461B0F2F62F415DF24CBBC571E7577E7E1A879E26943C4FBF7C440B322B99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578400Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578399Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578398Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578397Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578396Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578395Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-81D4-609D-7051-00000000BB01}43325076C:\Windows\system32\slui.exe{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000578394Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.456{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\System32\changepk.exe10.0.14393.0 (rs1_release.160715-1616)Windows ActivationMicrosoft® Windows® Operating SystemMicrosoft Corporationchangepk.exe"C:\Windows\system32\ChangePk.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=E158157A57E322D9BB683FE2378724BA,SHA256=64708A3E27EE5ACBEB14140A956AAF8F6472CF60D592C05BC564851BE5CD42D5,IMPHASH=67AFB32EC629ED4DABAE2F8273A64EB5{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\System32\slui.exe"C:\Windows\system32\slui.exe" 0x03 10341000x8000000000000000578393Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578392Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.446{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578391Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.431{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578390Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.431{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578389Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.431{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578388Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.431{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3951351392CC10F11B545827D7C7C8F4,SHA256=E9A461B0F2F62F415DF24CBBC571E7577E7E1A879E26943C4FBF7C440B322B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578387Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.431{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=63A532C8961C8D642C58C3DC14ECC3FE,SHA256=1CA17BB4F71807B250310D46D157D218A8AA4B728014A69AE726EA4F394DBF9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578386Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.415{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578385Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.415{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578384Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.415{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578383Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.415{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578382Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.415{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578381Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.415{E1BD9FC2-81D4-609D-6F51-00000000BB01}55125336C:\Windows\System32\Slui.exe{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\system32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000578380Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.417{E1BD9FC2-81D4-609D-7051-00000000BB01}4332C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\system32\slui.exe" 0x03C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\slui.exe"C:\Windows\System32\Slui.exe" 10341000x8000000000000000578379Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.399{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578378Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.399{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6283724C:\Windows\system32\lsass.exe{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578377Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.384{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578376Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.384{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578375Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.384{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578374Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578373Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578372Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578371Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.368{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578370Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.368{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578369Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.368{E1BD9FC2-819A-609D-5F51-00000000BB01}57045596-{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\Slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+a8ff9700|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+a8ff9700 154100x8000000000000000578368Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.370{E1BD9FC2-81D4-609D-6F51-00000000BB01}5512C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\Slui.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000578367Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.165{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EAA81DE6E62A0848E7FFFD71C819D3E,SHA256=673191434618F29B6398A379362DA10C3A156E7E28E780D436516ECD18F9CBF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676731Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:24.541{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51310-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000676730Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:24.541{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local51310-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000676729Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:24.439{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51309-false10.0.1.12-8000- 23542300x8000000000000000676728Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:25.461{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676727Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:25.261{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3B8F368994B4EC93214E947F6A91D6,SHA256=0CB0165337841EFAF9669D54FE758B1B675C57FC1607B60F57F7A965574CA533,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578431Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.977{E1BD9FC2-81D5-609D-7251-00000000BB01}51164132C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578430Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81D5-609D-7251-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578429Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578428Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578427Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578426Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578425Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-81D5-609D-7251-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578424Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.790{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81D5-609D-7251-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578423Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.791{E1BD9FC2-81D5-609D-7251-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578422Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.399{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=781B8F16DC2B05084AD7FC053120B238,SHA256=F52CE90A86903C7ECAD0CC6B4399346BF76133A5A4C55F45DB43603D5B4A9D08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578421Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:25.227{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914F81E50A1E615A7D431471E6578768,SHA256=2C98313098FB873A5C33756447E5F164F4A65130366E7E1E4A34F61039215BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676726Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:25.214{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6410B227503894335F8CF5813AA2E1CB,SHA256=3D9DE2B3430616B1DE6CD83635CB08C33DA819063A177C8175DB323C9E8EFB4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676733Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:26.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4AC6FAA376AAF60B42C8A91DC50AAE58,SHA256=7D7A07B2772FBE5A06561E8DA22FFA020D656C40AA1201D4FFB12A5EA1E4A7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676732Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:26.294{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D106F1DF53DEB6565EB8CABD724F4BE8,SHA256=343A7971FF4B6C18467EB70664ECEEF251761EC921527597A695D33DD2E5F768,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578453Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:24.811{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52917-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000578452Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.681{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7924592C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+ec16|c:\windows\system32\rpcss.dll+10ee2|c:\windows\system32\rpcss.dll+6a4c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578451Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.681{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7924592C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+ec16|c:\windows\system32\rpcss.dll+10ee2|c:\windows\system32\rpcss.dll+6a4c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578450Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81D6-609D-7351-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578449Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578448Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578447Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578446Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578445Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-81D6-609D-7351-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578444Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.462{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81D6-609D-7351-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578443Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.463{E1BD9FC2-81D6-609D-7351-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000578442Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578441Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578440Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578439Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578438Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578437Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578436Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578435Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578434Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578433Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.337{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-81D4-609D-7151-00000000BB01}2408C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2e0d|C:\Windows\System32\Windows.UI.Immersive.dll+2524|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000578432Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:26.243{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86408DDD7B920331A577BA3E8FF1832C,SHA256=6B98043A71D5D807A6897BE974EEA08EEC82D7B746F8556A2751D75580A4CDA7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578464Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:27.866{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74830-0x863f92b2) 23542300x8000000000000000578463Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.319{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7625E34AF5A7886E0CD967E081A41A2,SHA256=184279F07E740341F915C92EFA6EA2059F579B6FDC2F546E46B3515CFBBA6322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676736Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:27.793{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=254843ABA7196BFFDB5764ABC9028B6B,SHA256=BCF8255570226F7067F42BADD66DF290C60F8F179D7246FCBC6923DB74F03483,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676735Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:25.690{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51311-false10.0.1.12-8089- 23542300x8000000000000000676734Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:27.312{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19882D07205243EB55EFF472BCF0C9A3,SHA256=A204DA30590901E050B3CF58BF39131432273B7CB5BE0A1E36073E849A0402AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578462Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81D7-609D-7451-00000000BB01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578461Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578460Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578459Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578458Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578457Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-81D7-609D-7451-00000000BB01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578456Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.131{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81D7-609D-7451-00000000BB01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578455Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.132{E1BD9FC2-81D7-609D-7451-00000000BB01}4568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578454Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:27.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E6F27FF74091F43E2C3AAA5A93984CF,SHA256=58A1B24A7D363D0ED8C5C3B1048EFFC02E81F8B4024F0565FDEA067A433EAD68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578466Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:28.350{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D9DE3A24550F0EE77827EDC32EA5FA,SHA256=B57E38D7CC3DE76C87162A5D9757CDB2AA8CCF561A23306D208D25B75EB39E1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676737Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:28.326{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0127D1EA31454DF0050DF6520157A7EC,SHA256=1F14A164AD9836CAAB2FC50B8D33983E513AF93D875A680FEEF5FAD64F7E9DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578465Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:28.178{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7443A0C3AABA22479B194B17B702235,SHA256=630092F38145CF5991632942DC43ABF924BFB566F5EF6F121E90E391807BE4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578467Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:29.350{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4C63A763628B304CC2A84FF8371F42E,SHA256=50417DF0BC69E8C71DDAF735506FEB44D2337E83184DEEBD521516271716C003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676738Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:29.356{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D1C66A2041A8F0C51E4ED2F23883D6,SHA256=83E66CA28BFBE95EDEBFC911D98F06B846E9F5F3A8FF45CE6D953E0C8FA23D6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676744Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:30.971{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x8000000000000000676743Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:30.824{7B03F3B2-D0CA-609A-1600-00000000BA01}13041208C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676742Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:30.824{7B03F3B2-D0CA-609A-1600-00000000BA01}13041208C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2F00-00000000BA01}1168C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000676741Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:29.470{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local51312-false10.0.1.12-8000- 23542300x8000000000000000676740Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:30.372{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6591F78BC574F3BC9A8F799BE3D001F,SHA256=3A9CDBF1261261E04B2DA01D8E7E4B286CDE0A15E2AA78000A63FE466532711E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578469Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:30.350{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB1E9F29C294CE28B23E391820113F4,SHA256=CC03D4D60D07F9F56EE7816A618EA162ADD587F05F014E9A7A1497FF81E283C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578468Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:30.022{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676739Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:30.290{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CC79ED196E13F5568222741D54FAB69,SHA256=20144D608599F25631158BA41DB3A8C3343A54A6A719F049C73BFBA215FCF879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676746Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:31.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12272FADE195DF9A66CA991FFDC48799,SHA256=313752A000783FA09D01673C66E4DAD7629EDC652AC5E7B4074189286A5F2354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676745Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:31.390{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E453BD1718D57046DAA78FD5B325B08A,SHA256=7A9F0B0D4ABC76623392B2B7BA6B68EC71F83E63F33261B69E65F1EA7BEB8CF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578478Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:29.637{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52918-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x8000000000000000578477Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.475{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81DB-609D-7551-00000000BB01}4636C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578476Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.475{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81DB-609D-7551-00000000BB01}4636C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578475Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.475{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81DB-609D-7551-00000000BB01}4636C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578474Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.459{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81DB-609D-7551-00000000BB01}4636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578473Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.459{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-81DB-609D-7551-00000000BB01}4636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578472Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.459{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81DB-609D-7551-00000000BB01}4636C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578471Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.444{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0CA590D1B6F2FA2D6E8AB7E222D2538,SHA256=C03B2DC3368A7A139AF65839791C48137B7C767114182EA212C7597DF9A29F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578470Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:31.053{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A4CFC5C0404DF64410F681779C2E0B3,SHA256=D7DF547D0D26589ACCAF002C7180AB8E1BD2030023C64327013CDCF7EFF1AFA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578480Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:32.444{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C66C80CAF4569ADA3289F984E3AEE21,SHA256=BF55BA1F43991B542E6BE199253A28B6657027AA5C05C704B58F2A6074F1E9B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676762Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:31.569{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53855- 23542300x8000000000000000676761Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:32.456{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6C7D35068CED629B37517A5F89B0671,SHA256=4AA0B7F870F74FC64EDBF26B978E2BF4C16BA7F58D06A5B0FBA11B748E04F4B2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000676760Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000676759Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000676758Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000676757Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\LeaseTerminatesTimeDWORD (0x609d8fec) 13241300x8000000000000000676756Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\T2DWORD (0x609d8e2a) 13241300x8000000000000000676755Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\T1DWORD (0x609d88e4) 13241300x8000000000000000676754Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\LeaseObtainedTimeDWORD (0x609d81dc) 13241300x8000000000000000676753Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\LeaseDWORD (0x00000e10) 13241300x8000000000000000676752Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\DhcpServer10.0.1.1 13241300x8000000000000000676751Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000676750Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\DhcpIPAddress10.0.1.14 13241300x8000000000000000676749Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:32.140{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0f546135-3ad4-4a0d-944e-d2f847aabbf6}\DhcpInterfaceOptionsBinary Data 354300x8000000000000000676748Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:31.217{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51313-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000676747Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:31.217{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51313-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 23542300x8000000000000000578479Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:32.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A4F87FA65BF2C9FC79D55FDE72854767,SHA256=5F154F4423E2AE556561FA7996ED761794A89D10966E8E082B8974ACAFBA710A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578482Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:33.459{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D81580790185AE9F384EC09419AEC0A,SHA256=EAD647E4818612D7D416CA5ED240DB06E1839FBFDA1E36C2175C7F25F4E76687,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676767Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:32.392{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:c890:a4f4:8987:ffff-57614-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000676766Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:32.392{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local57614-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000676765Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:32.385{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-18.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-west-2.compute.internal67bootps 23542300x8000000000000000676764Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:33.490{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F9352B0D5ED6E2F073EE3BAD4AE1C6,SHA256=0FD1A95E6E53A9D79B77DDC16B71A50C451F0FD210D071534B8071F93B428170,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578481Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:30.824{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52919-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000676763Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:33.140{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78A9C7AFA5AE46612D144F842AFE4727,SHA256=F0A8EBA4025274D4C893DF055D89E41AA93B344A1FA10FEC727AB11202532DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676785Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.707{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66BF437CE91696C46CD9DD64CB32144,SHA256=59AF5DF1CA3BD25D601AFC17EC0973FFA242670CC87E644F839E762E8F57E149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578484Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:34.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A30D098F72220FDDC595FC1A5C69A4E1,SHA256=475CF8A0CA20FCEA1406DA25B0D41D0F71BB00546BBB8E0D29E4077105201704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578483Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:34.475{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485E0A5F2ED02AC4B2B164E8004F1136,SHA256=4FDFA34B7605F4E8B8E42471F096109358ECA4DFA545D3DA90C86D90DD152A54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676784Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.191{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A71E616D952691C69001819F4F2B3D6,SHA256=E3145206467203A12768857F2EA5BE7E8888776FB0002CDCEC3E9268AC22E0C3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000676783Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000676782Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000676781Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000676780Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\FlagsDWORD (0x00000002) 13241300x8000000000000000676779Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\TtlDWORD (0x000004b0) 13241300x8000000000000000676778Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\SentPriUpdateToIpBinary Data 13241300x8000000000000000676777Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\SentUpdateToIpBinary Data 13241300x8000000000000000676776Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\DnsServersBinary Data 13241300x8000000000000000676775Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\HostAddrsBinary Data 13241300x8000000000000000676774Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\PrimaryDomainNameattackrange.local 13241300x8000000000000000676773Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\AdapterDomainName(Empty) 13241300x8000000000000000676772Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\Hostnamewin-dc-18 10341000x8000000000000000676771Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.170{7B03F3B2-D0C8-609A-0B00-00000000BA01}6327824C:\Windows\system32\lsass.exe{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x8000000000000000676770Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:34.170{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{0F546135-3AD4-4A0D-944E-D2F847AABBF6}\RegisteredSinceBootDWORD (0x00000001) 354300x8000000000000000676769Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:33.219{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51314-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000676768Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:33.219{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local51314-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000676800Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.429{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.14win-dc-18.attackrange.local58434- 354300x8000000000000000676799Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.428{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.14win-dc-18.attackrange.local55530- 354300x8000000000000000676798Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.428{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52952- 354300x8000000000000000676797Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.427{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55562- 354300x8000000000000000676796Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.427{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local57382- 354300x8000000000000000676795Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.423{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54108-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000676794Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.422{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54108-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000676793Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.421{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.14win-dc-18.attackrange.local60039- 354300x8000000000000000676792Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.420{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local54107-false10.0.1.14win-dc-18.attackrange.local53domain 354300x8000000000000000676791Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.420{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-18.attackrange.local54107-false10.0.1.14win-dc-18.attackrange.local53domain 354300x8000000000000000676790Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.418{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-18.attackrange.local53domainfalse10.0.1.14win-dc-18.attackrange.local58210- 354300x8000000000000000676789Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.418{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-18.attackrange.local58210-false10.0.1.14win-dc-18.attackrange.local53domain 354300x8000000000000000676788Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:34.417{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local65440- 23542300x8000000000000000676787Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:35.737{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A67DB267D3BF5E3C0CCB5CF1A7A2C0E,SHA256=84CD7A52D0E49CFA81EEF6D893EDBF4BD4869468C8B287BAD9417A32350025DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578503Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.881{E1BD9FC2-81DF-609D-7751-00000000BB01}57563184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578502Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81DF-609D-7751-00000000BB01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578501Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578500Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578499Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578498Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578497Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-81DF-609D-7751-00000000BB01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578496Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81DF-609D-7751-00000000BB01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578495Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.741{E1BD9FC2-81DF-609D-7751-00000000BB01}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578494Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.475{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE17B250FD11FD256C63E09748E12676,SHA256=32E3B6EB6DD118292118A0949C667BDA8FE73B38F4E136F3B823801C5976AF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676786Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:35.207{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48D26A442487D63C69FBC195A45E9CBF,SHA256=18619CEA959EE473C7C707827B3EE7A69230E9D1D0A288C951395668F0E1C4BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578493Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.209{E1BD9FC2-81DF-609D-7651-00000000BB01}60486064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578492Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81DF-609D-7651-00000000BB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578491Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578490Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578489Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578488Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578487Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-81DF-609D-7651-00000000BB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578486Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81DF-609D-7651-00000000BB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578485Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:35.069{E1BD9FC2-81DF-609D-7651-00000000BB01}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000578515Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.694{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7924592C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+4160e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578514Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.694{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7924592C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+4160e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578513Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.506{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89B88108B7A707D12EDA8EF6D17C20D,SHA256=895FB9BE7B71C4D46F023564970F82BE1C6603B9C92F0295DFA2507210CD3F4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676823Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:35.383{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54109-false10.0.1.12-8000- 10341000x8000000000000000676822Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.790{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676821Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.790{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676820Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.790{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-0F00-00000000BA01}380C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6112d|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+7bfe9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000676819Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.790{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45B0EE309B2EEE309EB1768BD1D53062,SHA256=82A6220A63C62E37FCDFA74B58E1414269253C49BDB8538B4809A52535929706,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676818Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.788{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676817Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.788{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676816Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.788{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676815Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.788{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676814Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.786{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676813Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.786{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676812Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.621{7B03F3B2-D0CA-609A-1600-00000000BA01}1304NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=BF7A43F8420E8606BF4AF083349F1955,SHA256=9CA770106B0046D0BCD484449860A34F62E9196FC9471160071EF1E1F1E33F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676811Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.621{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-81E0-609D-6D56-00000000BA01}3536C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676810Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.590{7B03F3B2-81E0-609D-6E56-00000000BA01}20965600C:\Windows\system32\conhost.exe{7B03F3B2-81E0-609D-6D56-00000000BA01}3536C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676809Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.584{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-81E0-609D-6E56-00000000BA01}2096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676808Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676807Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676806Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676805Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.569{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676804Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.569{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81E0-609D-6D56-00000000BA01}3536C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676803Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.569{7B03F3B2-D0CA-609A-1600-00000000BA01}13044540C:\Windows\system32\svchost.exe{7B03F3B2-81E0-609D-6D56-00000000BA01}3536C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676802Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.553{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676801Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:36.553{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578512Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81E0-609D-7851-00000000BB01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578511Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578510Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578509Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578508Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578507Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-81E0-609D-7851-00000000BB01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578506Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81E0-609D-7851-00000000BB01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578505Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.413{E1BD9FC2-81E0-609D-7851-00000000BB01}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578504Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.288{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C9CB5BA0C018202FF4C43899DDD58A6,SHA256=B2584E8EDF715A0FA82FAF0DFED90430FCA1BFB80B880B3491FA25219E44211B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676827Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:37.820{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0B5F5AA9DC12E299AD3ACC2D2732F6,SHA256=625CA318FA941331E19CBD05F1E81F867A608626E761E0A0511AF8F56C633CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578526Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.538{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B13D58BB4A0120900113DC3EDD39454,SHA256=D9A3D2CC78A6F1B8E0776450C8BD34587D4E9E891214322ACCC947D6604ED784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578525Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.444{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA88FB2AC2DDFB74CD66135EE4558404,SHA256=47CC7ADBF259AB57E80BA912D4023B53ABEFABEBDAFF06A3EA4669ECBA534B39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578524Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.225{E1BD9FC2-81E1-609D-7951-00000000BB01}828776C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578523Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-81E1-609D-7951-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578522Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578521Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578520Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578519Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578518Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-81E1-609D-7951-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578517Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.084{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-81E1-609D-7951-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578516Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:37.085{E1BD9FC2-81E1-609D-7951-00000000BB01}828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676826Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:37.752{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B2F0F66D85212A54BC185476011D0FCB,SHA256=F4E52F14BAEFB345E5262D0447B380A79D3E50F580C41D9A77A1ECE63B767338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676825Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:37.752{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3449D76B14AF6C1A6B19001EFD6B593E,SHA256=D8F562542A8F099DDDDD24ACECBD80829668411044A37572B4FE8DC5DE6B6D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676824Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:37.589{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9918864815DAF943DD3BB5E855C4D26,SHA256=26606ED996233A170596537147C7707E8629678FA9822FA1A8D43143C1C1FCDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676828Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:38.850{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619832A6AEC11A04CD3AD078A90C7A7F,SHA256=2C21549B22B756BF1BFE010D3B71553AC588629C4A43E25AE3ED9F65C74B16B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578536Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:36.809{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52920-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578535Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.584{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52F70D07748744A13A4807BC0E9419FB,SHA256=E76F71FC922E78D4D322A004F4A9983F43D53A3ECFB35D90C3B3C98E13DC7443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578534Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.522{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578533Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.522{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578532Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.522{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578531Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.506{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578530Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.506{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578529Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.506{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578528Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.506{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81AD-609D-6951-00000000BB01}352C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578527Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:38.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=34D8F8F376933A51210955EB6AFAEEB3,SHA256=7523B7C91A7D7A09F791610AB25F70B649FEA614EDF45F2DD28CFBCE605891A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676832Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:39.865{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=398DFBC8C547D324725FE359AF0E2CAC,SHA256=A01D6EDDABC5214AE82F9B999C030FEEE48C7D29262DF32B1CB4B5017660AC2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676831Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:39.865{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F1945E1D950049D67240A72D110398C,SHA256=3EBDCF58D8FCA3D1CA142247FBE1ADE0511A99AEC1CD0743D5B25C94CA30F718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578537Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:39.600{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3ADF711619496B1384493BBAF10991,SHA256=C52EF2502AE1B945E46CB62F21FDD83E51B1D7923003A8FD7083A070FE5C31AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676830Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:37.133{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54110-false52.183.220.149-443https 354300x8000000000000000676829Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:37.079{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local64203- 23542300x8000000000000000676833Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:40.883{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9455858B5B3FB5D6D523A85A6E9E10F2,SHA256=E17B04D96BE73B5926B11FA5B8C23CBD02814A68208F6903B9019EC3299DA999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578538Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:40.601{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232893E1C1AFE40B008B130A7EB40E0B,SHA256=7856122EE48CBC20AE1721D6EC7ED23FD6A36E9FF9E2AF95C68D23C3A928DCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676835Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:41.902{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61B6009FA6A2CA1854FC01D29C306B27,SHA256=64912D646912AC2D24B866F09762CF400B79457B16D735B4A82F29C979BB6E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578539Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:41.615{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2C2B1A12E6D80F66702CC3012B924E,SHA256=263515B8D2CBA1EE555B529B14464815225376D2D7190C2248C26AA018E883DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676834Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:39.126{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1win-dc-18.attackrange.local53domainfalse127.0.0.1win-dc-18.attackrange.local64203- 23542300x8000000000000000676837Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:42.917{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE337E17187E9470FB91ADBB4BA3892A,SHA256=210A7117D5429E47AD59BE016B1735B9DF7CCBCF9B8F2E0BB226DC22660FB325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578540Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:42.618{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC73B4D5EA99B0284DDE538F212A2E8,SHA256=D5062B80AF878C2AFF2F644ED5077AD685F07E1327DFD1FBF20B6EC35BC215AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676836Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:42.117{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A6E67C0AB1CC19F3F732600A19CA6D6,SHA256=3F6575D4E63173873FDA48E56FEF7E8451ED11B75D9E839376F992BDCA573938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676839Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:43.947{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0EADDF8C1B2BAA78B631C5E8DC47A8,SHA256=533431ECE7752909F421978B2EFAB2E9188737F2CDBEB7AE44119DF433660E6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578543Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:43.696{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AFAF6E4732B0BCCA72D03FE4D686BC,SHA256=644EE49BDB0258CE7ACE412D4387A7D6AED1F814EC2021D7083549524204284F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676838Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:41.326{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54111-false10.0.1.12-8000- 23542300x8000000000000000578542Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:43.212{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1376068D707FCF91E5ABCD1A518E56,SHA256=43579CF2896E7036851F49BC2F00DC63CA8A8A972D925E3B4AE1DFB1919E66B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578541Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:43.212{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31BE5338C758774985CBE014963DDD5F,SHA256=662A6D878D88675F0FAA8FCA4978A8349743D1ED8C1A16D455A4D92537EBA80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578551Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.727{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD319304DA65F3BD7C7AF8C45FF9A9F0,SHA256=6AA180A066176CD594B081036CCA99CA9DB150587219A621C372EDB1D98E8492,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578550Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.727{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578549Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.727{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676847Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.982{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81E8-609D-6F56-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676846Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.979{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676845Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.979{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676844Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.979{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676843Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.978{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676842Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.978{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81E8-609D-6F56-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676841Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.978{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81E8-609D-6F56-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676840Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:44.978{7B03F3B2-81E8-609D-6F56-00000000BA01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000578548Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.712{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578547Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.712{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578546Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.712{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578545Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:44.712{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000578544Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:41.839{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52921-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000676858Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81E9-609D-7056-00000000BA01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676857Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676856Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676855Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676854Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676853Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-81E9-609D-7056-00000000BA01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676852Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.645{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81E9-609D-7056-00000000BA01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676851Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.646{7B03F3B2-81E9-609D-7056-00000000BA01}7596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676850Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.281{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7194DA63FDC861E296A67A86C1AF4A18,SHA256=4BC61D242BEF53C1976229A79F93BD9EC092C2A73EBC250BDDC9AF4F47B6F50D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676849Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.199{7B03F3B2-81E8-609D-6F56-00000000BA01}40402032C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676848Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:45.014{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFD1C76C21B55CB54355647FEE6B93EA,SHA256=3193588A646380144BB59A10CE297D6800B60BE945B21D59B7A0E28F53B8373F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578594Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.977{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578593Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.977{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578592Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.977{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578591Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC0DC05B59820E8D65FA7679B2193888,SHA256=F1E013158E1F48ECCC8CB5254D369FF00A195FEF5C5C3EBEB5F130FB96AC85F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578590Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.977{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=65304ED65112C97887228D154F626137,SHA256=516F397988108C27293872D257C067573D4C48A957E5F0E4F4CEE6DC27CC3DC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578589Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578588Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578587Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578586Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578585Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578584Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-81E9-609D-7B51-00000000BB01}57726104C:\Windows\System32\slui.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000578583Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.965{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\system32\slui.exe" 0x03C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe"C:\Windows\System32\slui.exe" 10341000x8000000000000000578582Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578581Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.962{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578580Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.930{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578579Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.930{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578578Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.930{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578577Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.915{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578576Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.899{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578575Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.899{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578574Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.899{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578573Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.899{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578572Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.899{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578571Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.899{E1BD9FC2-81E9-609D-7A51-00000000BB01}60085672Shell.Commands.ManagWindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\shell32.dll+3cd0f|C:\Windows\System32\shell32.dll+3cb9c|C:\Windows\System32\shell32.dll+3c8ec|C:\Windows\System32\shell32.dll+e2187|C:\Windows\System32\shell32.dll+e20e5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+38b3fc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+af0a27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\bab4d7857719db0b38dce8c4169d1eec\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x8000000000000000578570Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.910{E1BD9FC2-81E9-609D-7B51-00000000BB01}5772C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Windows\System32\slui.exe -Verb runas 10341000x8000000000000000578569Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.852{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578568Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.852{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578567Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.805{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6284728C:\Windows\system32\lsass.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578566Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.805{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6284728C:\Windows\system32\lsass.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x8000000000000000578565Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-CreatePipe2021-05-13 19:45:45.790{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008\PSHost.132654087455082613.6008.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000578564Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.790{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_mkijwxrp.5wp.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578563Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.790{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008WIN-HOST-681\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tm2jqw53.amu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000578562Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.774{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_tm2jqw53.amu.ps12021-05-13 19:45:45.774 23542300x8000000000000000578561Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.727{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E619431D238102DFEEF92FE738C95557,SHA256=3DDC85F5CDCDA0F0D8F0DD5E68C396B9666414AA7E67A9CBB5B21AA249BA8B2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578560Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.540{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578559Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.508{E1BD9FC2-819A-609D-6051-00000000BB01}57245736C:\Windows\system32\conhost.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578558Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.508{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578557Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.508{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578556Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.508{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578555Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.508{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578554Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.493{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578553Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.493{E1BD9FC2-819A-609D-5F51-00000000BB01}57045596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+8491f2a9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d933c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d92ffd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+8486a66b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d4ff6f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83db39e1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d959f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d959f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d95881|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d865a1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d93ae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d93655|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d933c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d92ffd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+8486a66b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d782a8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d7781a 154100x8000000000000000578552Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.508{E1BD9FC2-81E9-609D-7A51-00000000BB01}6008C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process C:\Windows\System32\slui.exe -Verb runasC:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x8000000000000000578626Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.769{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C7A21528B2E63E2512B254F2F16E69,SHA256=131707159540F2831E1E8DB12BDE2636138CA1EC254EF5E56627DF91EF6ACBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676868Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.692{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6E27096116EB222D5BD6B0FE4EB85DC,SHA256=82CC19D5C413873C83232EFDB54D6554029612DC966A35BEE483910D61FF6615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676867Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81EA-609D-7156-00000000BA01}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676866Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676865Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676864Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676863Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676862Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81EA-609D-7156-00000000BA01}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676861Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.329{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81EA-609D-7156-00000000BA01}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676860Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.330{7B03F3B2-81EA-609D-7156-00000000BA01}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676859Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.082{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549A2C94025D0E839F2548EF57B2C296,SHA256=221365636A1987CAD42D69C1C6F218CC64946ABEB8B95692AE106A4A9070132D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578625Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.571{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DA07B1ABCD6235E9887EA8A14CA0B2F2,SHA256=662F080AA67AF008C8304AB41E8AE8C2766E28990310A595D38D60405AAACD01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578624Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.555{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1376068D707FCF91E5ABCD1A518E56,SHA256=43579CF2896E7036851F49BC2F00DC63CA8A8A972D925E3B4AE1DFB1919E66B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578623Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.149{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521C8EFE9BBACBE26332A37453CB9A83,SHA256=4F0B5E8B23F2084B1B04CF99760A18464A3E99486EF2850AC360D4B919682A45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578622Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.087{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578621Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.087{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x8000000000000000578620Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.071{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578619Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.071{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578618Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.071{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578617Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.071{E1BD9FC2-8179-609D-4251-00000000BB01}39324168C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578616Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578615Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578614Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-D2BA-609A-1100-00000000BB01}9801600C:\Windows\system32\svchost.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578613Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578612Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578611Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578610Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578609Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578608Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578607Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.055{E1BD9FC2-8178-609D-3C51-00000000BB01}20001528C:\Windows\system32\taskhostw.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578606Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.008{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DC0DC05B59820E8D65FA7679B2193888,SHA256=F1E013158E1F48ECCC8CB5254D369FF00A195FEF5C5C3EBEB5F130FB96AC85F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578605Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.008{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121804C:\Windows\system32\svchost.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578604Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.008{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578603Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578602Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578601Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-8176-609D-2F51-00000000BB01}39403988C:\Windows\system32\csrss.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578600Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578599Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578598Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-81E9-609D-7C51-00000000BB01}43004124C:\Windows\system32\slui.exe{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e69f|C:\Windows\System32\windows.storage.dll+16e315|C:\Windows\System32\windows.storage.dll+16de06|C:\Windows\System32\windows.storage.dll+16f278|C:\Windows\System32\windows.storage.dll+16dc2e|C:\Windows\System32\windows.storage.dll+fd025|C:\Windows\System32\windows.storage.dll+fd3a4|C:\Windows\System32\windows.storage.dll+fc9e0|C:\Windows\System32\windows.storage.dll+16650e|C:\Windows\System32\windows.storage.dll+166202|C:\Windows\System32\SHELL32.dll+3f8cd|C:\Windows\System32\SHELL32.dll+3e466|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6718e|C:\Windows\System32\SHELL32.dll+3d443|C:\Windows\System32\SHELL32.dll+3d30b|C:\Windows\System32\SHELL32.dll+3cc27|C:\Windows\System32\SHELL32.dll+dcb5e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x8000000000000000578597Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:46.002{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\System32\changepk.exe10.0.14393.0 (rs1_release.160715-1616)Windows ActivationMicrosoft® Windows® Operating SystemMicrosoft Corporationchangepk.exe"C:\Windows\system32\ChangePk.exe" C:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=E158157A57E322D9BB683FE2378724BA,SHA256=64708A3E27EE5ACBEB14140A956AAF8F6472CF60D592C05BC564851BE5CD42D5,IMPHASH=67AFB32EC629ED4DABAE2F8273A64EB5{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\System32\slui.exe"C:\Windows\system32\slui.exe" 0x03 10341000x8000000000000000578596Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578595Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:45.993{E1BD9FC2-D2B9-609A-0B00-00000000BB01}6281504C:\Windows\system32\lsass.exe{E1BD9FC2-81E9-609D-7C51-00000000BB01}4300C:\Windows\system32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578639Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.769{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0595111DC7F3485548A71B9A25E3B0,SHA256=6E36924544D504AE2C8F3D0A6E2F55A8DB64E89D486DC9406F7CD0FBF77B0096,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676888Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.969{7B03F3B2-81EB-609D-7356-00000000BA01}71324132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676887Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.789{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81EB-609D-7356-00000000BA01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676886Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.787{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676885Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.787{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676884Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.786{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676883Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.786{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676882Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.786{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81EB-609D-7356-00000000BA01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676881Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.786{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81EB-609D-7356-00000000BA01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676880Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.785{7B03F3B2-81EB-609D-7356-00000000BA01}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676879Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.769{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF3C8BDCAE8FBF268E1C5E6C4FB13369,SHA256=C30C98E67507FDAA8FD7B5355CA07FDEE96DD18E20EEC17DFF3EE617E6BE8D00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676878Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.285{7B03F3B2-81EB-609D-7256-00000000BA01}80445896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676877Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=599758971C66D6EBEB5CE1F0CAD196D4,SHA256=4A04F977C8129CCDCEEAC27D8652072C061A09BF70F8BF214A6DE169F2C1653A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676876Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81EB-609D-7256-00000000BA01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676875Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676874Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676873Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676872Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676871Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81EB-609D-7256-00000000BA01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676870Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.107{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81EB-609D-7256-00000000BA01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676869Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:47.108{7B03F3B2-81EB-609D-7256-00000000BA01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000578638Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.519{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7924592C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+ec16|c:\windows\system32\rpcss.dll+10ee2|c:\windows\system32\rpcss.dll+6a4c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578637Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.519{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7924592C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+ec16|c:\windows\system32\rpcss.dll+10ee2|c:\windows\system32\rpcss.dll+6a4c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578636Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.191{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+194dd|C:\Windows\System32\SHELL32.dll+61df0|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578635Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.191{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578634Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+62f35|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578633Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6164f|C:\Windows\System32\SHELL32.dll+628b0|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578632Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bd0|C:\Windows\System32\SHELL32.dll+6286c|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578631Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e4e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578630Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62840|C:\Windows\System32\TwinUI.dll+12d4e1|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578629Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324236C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618a4|C:\Windows\System32\SHELL32.dll+62e17|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13bd9f|C:\Windows\System32\windows.storage.dll+13ab2b|C:\Windows\System32\windows.storage.dll+13904f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578628Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324280C:\Windows\Explorer.EXE{E1BD9FC2-819A-609D-6051-00000000BB01}5724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d319|C:\Windows\System32\TwinUI.dll+12dfcf|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578627Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.175{E1BD9FC2-8179-609D-4251-00000000BB01}39324232C:\Windows\Explorer.EXE{E1BD9FC2-81EA-609D-7D51-00000000BB01}5700C:\Windows\system32\ChangePk.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+61c8b|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2e0d|C:\Windows\System32\Windows.UI.Immersive.dll+2524|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+64ddc|C:\Windows\System32\combase.dll+64a92|C:\Windows\System32\combase.dll+633a8|C:\Windows\System32\combase.dll+6180f|C:\Windows\System32\combase.dll+6080f|C:\Windows\System32\combase.dll+5df06|C:\Windows\System32\combase.dll+5d6ba|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000578641Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:48.784{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAD7BE9E18F8F8B5FDF08107447F7DB3,SHA256=A9F1FF8E117BA44D4B488F11B9C955CD811249BF0216C9FD8BB134A2A3C591F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676891Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:48.806{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17A1F69FBD71A8DF4602919A7B48B6A5,SHA256=D8651A5FD0E01D5EABA508F529A96914783473DD144672331C8D6ABA5303CA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676890Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:48.122{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA65A05EB1BD24ACFF5A413B54B1E54A,SHA256=A9BA24D0378D2E6B3D1FC4B906168145DE327F9B4B355285D962A58347C0EEDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676889Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:46.359{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54112-false10.0.1.12-8000- 23542300x8000000000000000578640Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:48.191{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=450111BD1DAE896678D393A9210380CB,SHA256=CFB45CE2E805BF62A209E2DD032798620CC3F2FF9F3BB17A052F5F8DCDA69754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578642Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:49.784{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463084E0B1E25CF9FA6988C68A9CDDF9,SHA256=B4435AD1CCEDCDC1CF87A79DD3CC52CCD9B66565F842C9EF6B2E9CE692850C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676892Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:49.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AC707D53FFE58285E348DD68BC6A30,SHA256=6EFBC0F1F6AF0925CCADDCC159962ED931BE65F2A6C36F235CE93F8EAA6D2CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578644Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:50.800{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF0F2CD337E3E2505BB3B8625F64FBF,SHA256=7AEB290E7EC91FACEA6DC8C214F9AD9C02F410B0495946099B5C9F3239E06B37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676902Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.992{7B03F3B2-81EE-609D-7456-00000000BA01}47446340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676901Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81EE-609D-7456-00000000BA01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676900Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676899Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676898Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676897Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676896Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-81EE-609D-7456-00000000BA01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676895Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.735{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81EE-609D-7456-00000000BA01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676894Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.736{7B03F3B2-81EE-609D-7456-00000000BA01}4744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676893Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:50.187{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B66FF8107939487E5F4E5D7BCBA601,SHA256=74790814EEE0819750B9BA96B4BC2C5DECC4810C45E246C15CF00C79225373A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578643Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:47.649{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52922-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578645Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:51.831{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D4EE687D3A69C2D47ABE12E41BE8A4,SHA256=E17AF7B87AD8607BABCD600A7A9773004F7F7E4D4C3FA785A31B768663BFC980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676912Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B9819502415069AAAB91E511E5B525,SHA256=53CBD2823CF0EB0EA2C7A76984A98CAA8160F7A0DAFFD6F14929E16A516B45D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676911Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-81EF-609D-7556-00000000BA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676910Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676909Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676908Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676907Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676906Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-81EF-609D-7556-00000000BA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000676905Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.409{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-81EF-609D-7556-00000000BA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000676904Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.410{7B03F3B2-81EF-609D-7556-00000000BA01}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000676903Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:51.192{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E760F739DF2CD7DE0EBC78FFC6A4BD,SHA256=E7ED4F25BD81D4CDA9930E75DF71E883C22132F9DAE7B712E6C10A2042BFD919,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578657Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000578656Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7c7ba9) 13241300x8000000000000000578655Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74828-0x331a54d8) 13241300x8000000000000000578654Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74830-0x94debcd8) 13241300x8000000000000000578653Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0xf6a324d8) 13241300x8000000000000000578652Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000578651Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a7c7ba9) 13241300x8000000000000000578650Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74828-0x333d21b1) 13241300x8000000000000000578649Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74830-0x950189b1) 13241300x8000000000000000578648Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:45:52.941{E1BD9FC2-D2B9-609A-0B00-00000000BB01}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0xf6c5f1b1) 23542300x8000000000000000578647Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:52.894{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AC72FB630C31A3015D214DD7390B414,SHA256=266E8BBD3BC9F11973AD4C6EDC3B333A9DDF20547F654C5693799C816B8E3378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676913Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:52.291{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED466E39B040FC6C9334EFABB375F4F4,SHA256=0A7A20BCA5DFB7DDAD0F44D4CE51C95DFBE939302660821BBDAF07719B99CE5F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000578646Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:52.753{E1BD9FC2-8178-609D-3951-00000000BB01}3248C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x8000000000000000578660Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:53.925{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0FD44A6ABB2F1991E069BCD2DFB73B,SHA256=73F228AA06C8C40DB710BD5F992A4136B21D704B6894F1B8FFEED32ECD2E3825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676924Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9B5CA69F0A4A788C71AC5933608DA55E,SHA256=F180BFD2F279AD2F550D87D7F99727D4702D23833FA76E74D11C40327E38268C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676923Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CBF0EB49EF9761838F1BB1FF0F5E7E2F,SHA256=B8EB32BB46C9F5C8B7C409C4DDF91276852AD8F92D628F6B8353B06476F21F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676922Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=D61FAAEA4992D0BEDF013A6DC534DAC5,SHA256=D147819A71179B8D6CF8C886186BEADB879BD57E475B777B3123BCD565203313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676921Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=28A6DFFD021B60A22F1219945F8865E3,SHA256=115259C3908878206A5567656E9F22ED300F65CE7F4211BEB922FF57F68B2716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676920Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F945DE142A054A9528240880A4533290,SHA256=0F69483E806808001CAA0ED1CC3D8C6EB3F2F5F430A2E6AC2C7BFC0022382EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676919Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C15CC1103ABFDB0404885188762360DE,SHA256=5289F6B3D09E5B69DB213D3E83BF876BAB78298A6C53EE0F20DD0B50F62E142F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676918Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6328ABE317D9E17C68C7E311395EC9ED,SHA256=DCAE5CE3BC85093EB9216E4B149B45226B98AD93FB4E6148C01017E57119843A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676917Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.753{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=024143241863B94F5076286EF4D6E010,SHA256=9F353D569199A3C0C3BC078CACBCD1B7B348EE6D76D850F8C6D31FA975B5C25A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676916Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.637{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6F6335019C7B4611ABF6D4D645322767,SHA256=3509965035AF7926FF9CB91C644F44E305451B913816BA92EE313DA0B86D210F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676915Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.306{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FDDA3E7C6CB8FAD00100BAD8C7A4E3E,SHA256=E24B555EB7F1E5AAFC0DFDB7C18E49ED8A6449F195C3D6DF525FC0ECD1B74C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578659Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:53.847{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=32C7126DEC8C6C22E9561051D57B7A78,SHA256=268A2E1D78A07AD3CAD7668FD68A23596F57E95BD43012729D15FDC1FE4011E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578658Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:53.847{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7D6C227C17DACACD288FD8BF95734602,SHA256=5755D88EDAACC6B344C4FAC0B133BCAA330D53C0FCF0D0680DCFC0AE0FF2D487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676914Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:53.122{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AAA75FF644D1314A2FD91D506AC13FCF,SHA256=6A898EF08B2A217D02F83F9CEE2785B2DB29A721B1DA4E79350703175ECDC9F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578666Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:54.972{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9265A32D0A3175A4758324B86FD528,SHA256=C3CF7961D5D38081CB44F16D3A30735B8308460A04C606521B82951B77734D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578665Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:54.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578664Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:54.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578663Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:54.581{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1500-00000000BB01}1176C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578662Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:54.191{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C058381E5429755AD13FAFBEA17F79,SHA256=0836BFE688D6E4FD11007371B2976B40EB4797C00904640397CF36C95FE64CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578661Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:54.191{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8DB4531C11C35D698556B1EDF0EF8FE,SHA256=AB50C353674741FB0F81B89583A2700E52E9602A0ADEF4627D874F0E77368A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676926Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:54.321{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45911D88147E7F2BE4D758AFEA1C2545,SHA256=994B515B6362509B6241E3D139B2B0887329A35A3C6C3A8A230263845C6C91CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676925Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:52.335{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54113-false10.0.1.12-8000- 354300x8000000000000000578667Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:52.805{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52923-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000676928Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:55.336{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13F0CC72401736B5794FDF7A65E95655,SHA256=DDCFE319F8B2FFAF103DD99327ECC5325F2FDE6312380298B65A59E1413E9000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676927Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:55.205{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D349A711353C2E1FFA3C5AF887766F5C,SHA256=08EBFE54432F786E2A2210A098FCF6E44DB6A6669D6EBB2FD9EAEE3BF884AB7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676929Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:56.367{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2430A94DE292D8314A463ED477CA48B2,SHA256=66424FE103E700F9005BA68A5AD8730B8788E7084DC5F749E4A876D34DE5E09D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578668Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:56.019{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35650FCBCC7AC7C788A8D5ACF3E0429,SHA256=C482C84EAA0F4B7613D0483D2D0EC186B103D7DA167F234964FC1AA1CD685812,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676930Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:57.384{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5C5857C4FE9876A35A23DCD74A7568,SHA256=F902FFE7995F89FFA758DC1EA588287F9355AC6167DE9B515F9A20C0DF4E29FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578671Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:57.534{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7923632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+4160e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578670Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:57.534{E1BD9FC2-D2BA-609A-0D00-00000000BB01}7923632C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+4160e|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578669Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:57.050{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EC71E647D493AC73F42D28C72A32D9,SHA256=1094253AB7BF23B83B63C7A617684E993B93B38D758D2AB2E731040C70BB8347,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676933Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:57.365{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54114-false10.0.1.12-8000- 23542300x8000000000000000676932Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:58.418{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5341097DA5DC86DB6B3E26FCA2C3B19D,SHA256=5569DFA6C7CA27EE449C50E61AA8136269F56EB6F66CEBF07092E86E2A2B2943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578672Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:58.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396F45C4B4B2B241E9509BF85859F1C8,SHA256=B1C87D5FD591850D700AEEFB39C556CF5CE7A6160BFC52073BFA3C54257EC400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676931Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:58.134{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B96A02197522C07529AC7D3E4565E765,SHA256=4CFBA4A4D196D3B026F6994B8C80BE8EE2F437504C4DF8D619C5A07C57954898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676944Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:45:59.433{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C12C7F5ACA3C18B1B4B5CD6558E50F,SHA256=E38BAB8046F2DC99074DA5DCFA1EA79D49E81BD598CC6446B508BA47A0D27783,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578676Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:57.821{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52924-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578675Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:59.300{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF87954068517CA8889452A9941D9C5B,SHA256=1F0C6351928F879BB5FF1BAECE39E9981A8FDF828A946F9B66ADD414FFEB4EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578674Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:59.300{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38C058381E5429755AD13FAFBEA17F79,SHA256=0836BFE688D6E4FD11007371B2976B40EB4797C00904640397CF36C95FE64CAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578673Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:45:59.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F8FC45336C899546D55E9213AE4C9C,SHA256=36721D3FEE10C1FB6ECE7B195F45A910C3F06181FEF5C356EA685A51CBAFA989,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000676943Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000676942Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a84308f) 13241300x8000000000000000676941Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74828-0x36d02944) 13241300x8000000000000000676940Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74830-0x98949144) 13241300x8000000000000000676939Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0xfa58f944) 13241300x8000000000000000676938Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000676937Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0a84308f) 13241300x8000000000000000676936Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d74828-0x36dac8f1) 13241300x8000000000000000676935Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d74830-0x989f30f1) 13241300x8000000000000000676934Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-SetValue2021-05-13 19:45:59.385{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d74838-0xfa6398f1) 23542300x8000000000000000676946Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:00.883{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A24966418E4D9896747BA7D78922BF9,SHA256=00E55E1DA6CD7EFDD399C8FEA17A2671AA3F2DDB4240D3DAF4A1EDB02FB8C3D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676945Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:00.448{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BF8B7F93098390B6B94ADE972DFD53,SHA256=F1BE028C92B85FDFCC02B676FA2A08767960516A67C3F8E49D55CCE57AA9C7BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578678Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:00.659{E1BD9FC2-8178-609D-3A51-00000000BB01}1556332C:\Windows\servicing\TrustedInstaller.exe{E1BD9FC2-8178-609D-3F51-00000000BB01}956C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7cda8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578677Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:00.097{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C9EE03C4918F8A67F02B4799B32227,SHA256=F24566349510EED579C7E54A731A3C2AC10FC321FFB611EC6F7D2114CAF09B95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676948Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:00.111{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local55519- 23542300x8000000000000000676947Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:01.462{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D548FAF52B2E93D8027E523A1CCADE82,SHA256=0787026488EB185DF2C715486C249C26F0C1EC29125D084DBF931EDE6F424FB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578682Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:01.878{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1723D5E638EE8943EE367D281EB8E3B7,SHA256=27E66DA6A3AD1BCF822C09FEFD97495C07C5CAD5491D3464DFAC03937959B7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578681Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:01.878{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=32C7126DEC8C6C22E9561051D57B7A78,SHA256=268A2E1D78A07AD3CAD7668FD68A23596F57E95BD43012729D15FDC1FE4011E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578680Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:01.706{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CF87954068517CA8889452A9941D9C5B,SHA256=1F0C6351928F879BB5FF1BAECE39E9981A8FDF828A946F9B66ADD414FFEB4EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578679Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:01.128{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6E046804F75295044C49418FF4FAD4,SHA256=4843C982D41F828F9CB6DD6204C039C0933B9E11804A81E9C57684A0E1BC455C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676950Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:02.779{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C98926E861CEFCFBA2D94C72865757F8,SHA256=AE6EF58C6F131813B8B68C66AFF56AD2AC2CEB930C5299994464E219E448D744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676949Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:02.479{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B686737E00E9CA65AC11759F509539EA,SHA256=59B75B66D064054EFE8F0739DBC350AB5C1AAE6E0C88C4A55F47DE397A5FC434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578683Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:02.128{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03C4F51268A583174FD4852DFA09576D,SHA256=358EEC28DFC8991C92039721C46807E961135B2923C803315697FE4903CD2DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676951Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:03.512{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4EB6C0C867C289173ED135B806EBA82,SHA256=6368EA080F6A9D27103096237F93EBD3B2EA596D00C61D5D921BF8EA0AC42F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578684Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:03.175{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C2EC52BDE9261250FEBC1911AA4513,SHA256=653C9B6D456CCD608B34324CCE5C337F3EE0967DDF086E37151D012A2BBD654B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578687Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:02.821{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52925-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578686Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:04.237{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B62B31098C36858FABFA61DD9D2CE69A,SHA256=C92A78F8D20E0EE05538F36236C16117DADD2A63DE22898271B3B19601120D3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676953Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:02.406{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54115-false10.0.1.12-8000- 23542300x8000000000000000676952Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:04.527{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62660819956F64C9918657DE2A759437,SHA256=690FF108CFF56DD5666077E10B59A79E1DD713738F8016221AE162ACE97DABC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578685Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:04.191{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED68BC6EB06C351E5C8B77B281637C05,SHA256=962B52947F2BC0D9EC56ABD246273149509A010847B2402BFE1272F081A6CE8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676954Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:05.542{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA0E89931F0F82264BBDE26918ACAD9,SHA256=490638FA11C7B22E01CB61E4A8B959F5FFA186FB84245226DF1D8FCF8529D484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578688Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:05.237{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3830C5896FA88D51BB9B045C3F8CCA7,SHA256=8D37BAB807799FB1DCD5752698C1B1E7F10F6A0E44A99A5ACC61123FC21D63C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676955Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:06.556{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82987224C34B2A13655AE0918A78E58,SHA256=B4B1FFD04A1DD9C7611F39FC42D2A3234F0A16D225307B349E55AA0D017C5B0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578689Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:06.269{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EF7C4C661E809CF7341A6497584C268,SHA256=7EE888AF935C137CBBE94A5BBF19169A4D4012320943764EFBC6272A94B26525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676969Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.793{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E09A3CC56729E98DE02F55005C9ECDE2,SHA256=CD0732900DBEBB1FC7FDDF44A73859CD086A1271FC86D791DC6ADE8FF06351FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676968Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.793{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F13A6578ADEB99B6139A9DCDBF219D,SHA256=FD1A40B5272774DE334C96503BA9B3BA37630D88D8475DB83FF7AE9701C46F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676967Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.609{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E9F05C98C54C14C2D1E1B69754B29B,SHA256=8538146EA04205268A37AAF25AC4A178FC03EF2E8B9D472D27FADB1CE635168C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578690Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:07.289{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C102EB1726BE8145122347F8E6F39C,SHA256=F0C37F7A61E61C4B02523BB124071B47059F28D2A57FA596D87AAF777E8CBC90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000676966Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.525{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676965Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.525{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000676964Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.525{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-1500-00000000BA01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000676963Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E96A01477EBAA4FEC76112638C6A562F,SHA256=7DF6BC44DA86671B01C7106AD2C184F4023EBB4B3EEA85C6D133794CFBC14C7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676962Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1AF7E108DC2C467921EAD912FB8123C9,SHA256=1D268F70B97795AF063686A9E6339254DC852762E0204FBBB991FBE40567B5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676961Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F4A401598C2C967F685D3DDFE64D4A3E,SHA256=8B25BAFC615109BF1BE1DE3F6509A4388D706AC75F3D93D0A08BF3C1BCFE3280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676960Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=225C533042365E5C928CFD78D3E07DB7,SHA256=CBBC2A4567B3CFE8FC76A48E1977E11B274A501075CBBD94D15FC33D5561B5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676959Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=AB0EA58335EB74DB3A48F64E74A2D881,SHA256=74C7F63E0E6B9A9D086CB0059DCE73EE362E2D11EDF8588E578FE523BE7204D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676958Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=8CBBFEE08125C6C56566F798DACBA018,SHA256=E07E0CC39154951AED485C85D4C6B4C0BBF4B58F64238C8BEDF76B5C08B056D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676957Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F9681E36F22DC78F4E54DF25DC23AFC1,SHA256=5604C18A2BBCB69D880BA9DB60736D191304EDF967BB71F431E033DFD5237EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676956Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:07.125{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C5928662CA26370EB36672FCFE961816,SHA256=E9BDDB5E7B7ECB2D1E2727AEBEF78D6B28BFFAAAD03F03419A6D6C9E292EB5F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578691Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:08.304{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D747A08C305B8AFECB76A9E6E159AEB6,SHA256=5CAFFE2A639B892478064E8C9854B4B7CA5F8472A05D5501F3080131495D608C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676970Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:08.624{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F18891BE81E104D6F5C3E4CE736575,SHA256=B7024D861043E7B558811BDF3B9C9C23B8F62102965E0E20A7F08919FC7329C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578695Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:09.554{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8250592FBDC5E6BE858AC3A8AE06FF65,SHA256=345F3228B11CB92C80C04B5AFA6BF5602DD2DEAF6784FA69B9D851846C050FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578694Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:09.367{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020CF1A499E50EECEF657CE137A1D0EE,SHA256=9F5DD77806E68A8A85484AC6236A9AEE7F5494F77DA4CC081AFFC24FCB167A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676973Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:09.654{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244B496E045F2046B2710E2BBC731B5E,SHA256=B9A546D16E12C2B4C3DBB9ED2BECAD18E6024A34AF2A05B41AD454092F3005C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578693Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:09.242{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A3ADA73DDE9837CF2E914E6917DDA3,SHA256=70808BDC737FEA29A7217CD96E1C1C2811B5D19D7F678265332BC8AE28A9F104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578692Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:09.242{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E4D0DECFC3368F22A55BA3A245B171C,SHA256=310F45C48CE75D695032B50589A264AEB1A73C11C65E31C18C998C7249C032C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676972Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:08.301{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54116-false10.0.1.12-8000- 23542300x8000000000000000676971Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:09.075{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E09A3CC56729E98DE02F55005C9ECDE2,SHA256=CD0732900DBEBB1FC7FDDF44A73859CD086A1271FC86D791DC6ADE8FF06351FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676974Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:10.654{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AA14277B36A076F582E81E24C2B9BD,SHA256=A7F31B03817E7DBB0678E46FF4920D4A776A892323E85F231FDF0A4739CC8F6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578697Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:07.856{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52926-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578696Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:10.382{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFC7B062EAAF53837FB3B9772F527B7,SHA256=DC22B7642963AEF829A5EE1B5CCF0BC0FFD74E311E3703053FC063039B543F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676975Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:11.675{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910F3E67D644D6846FA9784E52F4865F,SHA256=5A4186E2D9FC63F03FFF37419A5562647DA03024AAA2556E3D5C47D44F091719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578698Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:11.382{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3771D44479C9B27C745B932DD0C1C4B9,SHA256=3EDB1F4D6167B436AE6FC72F367E4F855049728D2D982286C2516DB83F8FF42A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676976Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:12.690{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154AB9ECDAEE372177876AE9B9FE759,SHA256=E6805CEB871C609090B59ADC82F48A64A0F38C3A1610CE43661578B58505A6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578699Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:12.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F173B22FBAD2D623FA24D608FEBB9E6B,SHA256=E1452CC1F7681C44981B82269DB369E9E5DDB55668A34DB29EFA3F3F9C58EE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578700Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:13.398{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0186BC04673827D2A46666B67A753412,SHA256=43B88C38820846DFD11F961453A2BC9BDACA857F00F49C0DC64552EA6859B301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676977Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:13.705{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA15D4573A071CF97EEA6EC5B8D05BEA,SHA256=1E2FA27119FB0B59D2AA04A27AB66C1B33F41BB0F9F987FA9EA1C5FCA3089FDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676981Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:13.435{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54117-false10.0.1.12-8000- 23542300x8000000000000000676980Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:14.719{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0897DCC3BB45D0D3C60B75EDD968CE,SHA256=4D241FAA227CDF4D6BD7F59CD71E7FEC076841F7A47FACF640AF7B7D7D335B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578701Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:14.414{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4F92A6065FFD5A1EF744B3EC2889F7,SHA256=55B7CB4F66FA45733201FA68088E88C621E0F0C43E589088F22BAA8F97905F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676979Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:14.220{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96202C2F646DA1AF3FF1C9E637485078,SHA256=06CB8DD9A038BC766949CED2D13FF19F064C80FDDD0D6688DEC4B97AEA2E5EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676978Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:14.220{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=791883EA7070058917B3B4C840507407,SHA256=A2CD8187CCF9794E04758891D56416243495A6431FEE678CBB18ED6B0AF21B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676982Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:15.750{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B3EAFCF5BFB0519E8D56AB7614FDA8,SHA256=BB065839F1775CBE97008022220A200E64276CCE47FF6F87D524824C19D89D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578704Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:15.507{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1FA3F5175A213BDE326E1F5FE1B533,SHA256=C2BF1ABD44409C8258EC87AA760E3DCFB8C97E81CC1ED9D1218653B620CC045C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578703Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:15.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E891C4092BEC4518B5A2EA5FC46D8D2,SHA256=297B65092BACBA0C9C2582D4776266F35B3E0BD38FFF17723BDE471011BD2463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578702Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:15.086{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93A3ADA73DDE9837CF2E914E6917DDA3,SHA256=70808BDC737FEA29A7217CD96E1C1C2811B5D19D7F678265332BC8AE28A9F104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676983Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:16.768{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997938BE8635B0CFACFF4AEB2C47F8C5,SHA256=AC1C5061E0E32BF051B837EDF8A511440C8302472D77E37A4081F0A157B8EFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578706Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:16.554{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DD0D770C7F6528582977C0F8051958,SHA256=B9A1F59F562DE92F9250EC707C5F2CB161484123D41C7B28196021416DB6E2BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578705Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:13.669{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52927-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000676984Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:17.786{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EBB5D30C6CFCBD61198378F3D11FB1,SHA256=0C71B11472E1A383A571B3A43D6EB8BBD6DCD636CED55858139AC9BC48EE74E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578707Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:17.586{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E14EA3227FB63775D40662564CCC79,SHA256=00FBFF07A24AFC97D006E8EEC7FED34C4B8C3D34A8E3FB74D2B769AD8FD575F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676985Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:18.802{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE3C82307DB549A84DA3566BDED2CDF,SHA256=82AEDEB74ED2833162D54DD4E4108E80DACB69B3FA131FAB558DFA055F6035B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578708Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:18.601{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FD5C589E0600B5B26900F3F9F625D6,SHA256=4D8C81D433E99FC828D0FAC5036423B466F09B12EAA460E94396D58E03C8D1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676986Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:19.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0321F4A305938C2D1E8A691B7709E07B,SHA256=C85F682F3EF343E6B2963124F67D4B688314D55C8F12691F3D67A8FDE69DB05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578709Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:19.617{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B3F19F4189B7D6D7D7FD5F53FBE97E3,SHA256=2C667B89DCDEA4AFEBA7A3A4D7EB9517D766BF2525FE6A2F30EEDCD837806E6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000676990Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:19.313{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54118-false10.0.1.12-8000- 23542300x8000000000000000676989Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:20.847{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B4B827A6E454438709294C23B921254,SHA256=2BEB0C69473B765032B1F01778DE59524C17A5398599D69EBD2875B2A7043330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578711Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:20.648{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53316CC2170CBEA43CD90F47DEB8942F,SHA256=5040E2D0A39DC3348C6144D71A186D789B830B5E0526DDD8D3A740F672612218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676988Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:20.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56819E700E139B94B552C9F940E0F86D,SHA256=A57E87FFEE86DC24A121252B09BFAF930F20B9DD9A2D2D5FBD3A37D798DBFE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676987Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:20.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96202C2F646DA1AF3FF1C9E637485078,SHA256=06CB8DD9A038BC766949CED2D13FF19F064C80FDDD0D6688DEC4B97AEA2E5EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578710Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:20.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E891C4092BEC4518B5A2EA5FC46D8D2,SHA256=297B65092BACBA0C9C2582D4776266F35B3E0BD38FFF17723BDE471011BD2463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578713Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:21.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3E4592645EECF0D24272233EC60691,SHA256=A727E97B1D7AC9C1C552061D24FAACE27C926A95E9D8A6A6A6D6A545D61E43A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676991Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:21.866{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04B374334193A2B7DED8EF5781737364,SHA256=FABE3CC9705D8A2EE68ABCE7A3E35E1606663F210FBA219CD9FD7BBE8B0D065A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578712Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:18.669{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52928-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578714Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:22.679{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258109E06671FAA6F9F0B85E39F9CCF5,SHA256=739F597C4F988FB558375EFECF4B13691AEB2DDC44877E75FAD7A0ACC69CF05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676993Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:22.931{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27EB6FAABE3CE7FC343D67B4B961D83E,SHA256=FA45B9DAD9952A99BEE18EDFB9D13F24EC54B0A329C1F63EB56AE5F8B9E57DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676992Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:22.799{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56819E700E139B94B552C9F940E0F86D,SHA256=A57E87FFEE86DC24A121252B09BFAF930F20B9DD9A2D2D5FBD3A37D798DBFE01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677002Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.945{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654DCC74B5C8342F8F2633E76725D3BE,SHA256=5B586614D0A4BDB5A4D6CDEDA3B33CB18FC62ADC3E0CB9DEB1E072CA731DBE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578715Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:23.711{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B72AE27F35CB6E2BE35EFA9EF23D2EF,SHA256=9F47EDDF295AFCE1CF472AF2416EA151481DD093221A525C473FF71D49F7DC9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677001Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.767{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=CCAAB3A053A222516386C3AA3171D96C,SHA256=30E1E67F5C3D93F8EEDAF541C59382A0E744F2A18380AFE0A6F38C6676B48C34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677000Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.767{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=B81CBA9B432040FFA70F984069027E98,SHA256=C313AD1EDE7D2242591D56960EC12D8A660DCE7E79CA4D9D0A8AB1A78AB955DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676999Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.767{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=859745B6AB2A93B26F8E441B188520AE,SHA256=F576B2215D2CD744EA399A7995694F8CF21DE82A7CF6BAE96CE8012738ABB7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676998Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.767{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1C6DB359DF182340243A5F339F51FE9B,SHA256=572130651BB15BE0C48D17DD9DEB72303C04119DC4202BAA0B02247E59CA4D67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676997Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.766{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=0EBA9F8BF5CDD17C25E424DEAAECAEB9,SHA256=33BAF261AC52330E22AF937D1C3D2335D56B40451E0B2B0D2F56F0421BB26876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676996Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.765{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9B945B1AB0260BBF6462299AFC3F0659,SHA256=D52B4B7F0647B0D7C6A3AA60AC6D954E52CD55F6BCA020D9F200AA8662A5F82F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676995Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.764{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6F51AD7524E78129A3183748DE49D9BE,SHA256=89287394F8D8933362228D89D369934664AC50C0632CC53A461C0266101F1FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000676994Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:23.762{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=1B4827091DC8912E8F9CE26B133D9383,SHA256=502847D444BC9032A81D3DF4BAFC4C7C78894612C8AB90AF84770DF19011A10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578716Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:24.742{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B72CE741FEBE30F3B2192DDB3E18951D,SHA256=E200551B4AC8D263673A9B3F91BED361DF86FCED23CC0B111DCDC00ADA3849EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578728Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8211-609D-7E51-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578727Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578726Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578725Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578724Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578723Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8211-609D-7E51-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578722Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.804{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8211-609D-7E51-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578721Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.805{E1BD9FC2-8211-609D-7E51-00000000BB01}5116C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578720Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.773{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD5B32A2E02A9FBF7545F7DB252B083,SHA256=04E287C4F5B35043382F68F9FD96DE3EFEF5A4C4735292A787A98D42243EA9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677005Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:25.496{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677004Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:25.164{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67A70830380E2279E427955FE1092C3C,SHA256=A3358B37EBD181AB923A66C093A6B1BD0A458A5457C5A8921ECE7CD5FD5624B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677003Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:25.012{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28E5ED673BACB4730AD8ECA72BA94F0A,SHA256=86982D37D7756749DD39E996D17CF41CBC9B26A0D9C249AA0E259C0AE4E81C7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578719Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:23.700{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52929-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578718Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C787D3696F2DED166E9D79B2CA4311E2,SHA256=B54FA1ECAD5DB93011E00207DC7D84927F8599A19A9AF937AAF59BAA1B23835E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578717Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:25.101{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E021D38E269BC5CC9580E4D492A2169,SHA256=202BC3489434981D0E1491128355C3BA87595863583A0B61DB0D3D3A2395DBC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578738Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.816{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C787D3696F2DED166E9D79B2CA4311E2,SHA256=B54FA1ECAD5DB93011E00207DC7D84927F8599A19A9AF937AAF59BAA1B23835E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578737Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.773{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2BD4FCB3E0BC02D0E3DCD2187509521,SHA256=59160DDFC704ED06F3C64DD96163E0804ADF5EEE152997DCB79CDBE19C4D332D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677010Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:26.495{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9BC2AD3D1FC183B55E8D6BAAC5FDF228,SHA256=69F51E2B541E0A07195591478FFB1150E8747A5E3A10B85BD91555A60EC25995,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677009Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:24.543{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54120-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000677008Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:24.543{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54120-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000677007Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:24.390{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54119-false10.0.1.12-8000- 23542300x8000000000000000677006Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:26.064{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DF5A3228B143A683CD4BF432CEEDE1,SHA256=E38D934B866BFE2F258C91AEC01632970811BFF90B4B9B10937495C63A302234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578736Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8212-609D-7F51-00000000BB01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578735Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578734Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578733Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578732Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578731Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8212-609D-7F51-00000000BB01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578730Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.476{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8212-609D-7F51-00000000BB01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578729Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:26.477{E1BD9FC2-8212-609D-7F51-00000000BB01}5224C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578748Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.848{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13D65FAE5F426D2B5B6544D9752B2F0,SHA256=2B6004D7909F850D93EDA7387C6AB69D1BB4D590B51C33EE75CF306455DFB3AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677013Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:27.794{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=692E9E132DC009528005D6B8A574B79C,SHA256=269F1FB48DDF3AC539D041655F979A9B8D0DD0A2981E2457445A6882E4494A6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677012Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:25.725{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54121-false10.0.1.12-8089- 23542300x8000000000000000677011Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:27.079{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1139287A6C93C1DAF73FB32BEB298BA4,SHA256=05BB65BC5C03E16710D4CD6912DDE6643C93A5F7BBA0EEE81231F08B01D7A3E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578747Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.285{E1BD9FC2-8213-609D-8051-00000000BB01}59085904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578746Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8213-609D-8051-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578745Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578744Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578743Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578742Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578741Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8213-609D-8051-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578740Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8213-609D-8051-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578739Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:27.145{E1BD9FC2-8213-609D-8051-00000000BB01}5908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578750Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:28.863{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27A992B79167B4C993DB15302DDAD814,SHA256=0DF398AA4A7C253DF76DDC3DB8A41AFEA79FFED35F0E7A81B976A0C2628B6514,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677015Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:28.393{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-472D-00000000BA01}4204C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677014Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:28.109{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B3AB4826A398797342C4ABA07A870F,SHA256=BA6414CEDE70E55B58305BBE2A8AAD5BDC936B476A7C30DA8DE33449D9232075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578749Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:28.160{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FE1248FE0A0BAD0E7ED712F27F51E7D,SHA256=153112709F2A45D9522514F641191809736D9C23B5580594744F7606F47AB9E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578751Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:29.879{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=614A9D2C19C980CFFDE755C7A2A9496F,SHA256=18F1E930262CC91794184E1C8F36645B90B0EA10F279AE1CC1F1EAD2D36CBDC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677016Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:29.123{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD45DAC3A47A3F505D95695F026E571,SHA256=82D558D774C8213CD6A2183BB100F8A25B5DAB4F5B59A2EAD3EAEF18988101F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578755Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:30.895{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3072802667BCB1526ACB7E2A8A198CE5,SHA256=78C8CAAF42786D8E8D8F5821BAB2B21E910674A38B95B9C53225186369E9822D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677018Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:30.206{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B4AC4D1B0CF55738010042C28B84C90,SHA256=A6490DCFAE2F0A0CD5644D5A61EA0E5AF2982B806AC8FDE93D45CD948B3F1352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677017Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:30.137{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52493A284BB4677ABCB40C421346F863,SHA256=BAB8C76CBAFC26B7585905FE41FD1A73582CA11CC5506D7629A84203F693338D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578754Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:28.712{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52930-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578753Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:30.098{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E130D5E8CDAB3F8AF4B5B91BB78B62,SHA256=543EFBE9A14F650251DDBA2DC269F523FAD5F2F8917E11CC4D8043FB9CDF9080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578752Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:30.051{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578756Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:31.895{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061A60CEA8FA2D4527395BA85FE3C1CC,SHA256=2B18F5320227E5EE4A93F1CE584F6033D8188B8678115A2831471EC9FBEDA18A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677021Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:31.507{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=310A8CF196535A8AB9B2BB60252C13EC,SHA256=CF493C11793FD2619344945AC471F778786898D72030D41797512F93515AA0A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677020Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:29.421{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54122-false10.0.1.12-8000- 23542300x8000000000000000677019Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:31.174{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AB881612D7A3D28E69DDA92ACDD42F,SHA256=2A8A50DC077F2E33565F2FC2669284C44195821A3FF7CF128418E35E8F287553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578758Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:32.910{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8822D0544182A4BB1A4742206AE58F,SHA256=E87FF5A35444F8BD88C1930E57EADD34F865CD2BCA9F4ECFF2B4D0A194431898,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677023Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:30.736{7B03F3B2-D0CA-609A-1100-00000000BA01}620C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x8000000000000000677022Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:32.176{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69055C14B78C7A0D0436D46913CEF348,SHA256=7D567923713F00C5EF10FFECBE887C2A7FA58DC65278EA4831688A30914C26C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578757Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:29.666{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52931-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000578759Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:33.910{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406BA2B496A359CC6A22BB545B90ABE9,SHA256=8A936FFFF05B303DF876BDD2518E5A5017E04DC3B6F41742527F1D4BEFCE7A7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677024Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:33.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F041277E0A2EEC91F063CDF2D69C3F9,SHA256=86EC3FAF20E06FC9520892609D643DB0EA379EA6197EA3A236555AFA50925138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578760Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:34.926{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CF7CABE4BA92DC85F069577B1F84C6,SHA256=7159E9CA7C0423A7DCD95CDDCE7F213555E204AC68590E2B5BE1051D32D168F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677025Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:34.221{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9B537D0FE08EFE394A319C702A5050,SHA256=F684ECC92B139247BC1C784E4B90962C88E399AC7CD38185A897881F6E3EA380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578782Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.957{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD72ADC5CB099E10553A001862538B7,SHA256=A71880F45FEC88061E10D92372E481AA3AED38B95ADA07E479FB2167986D7870,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578781Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.895{E1BD9FC2-821B-609D-8251-00000000BB01}60406036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578780Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-821B-609D-8251-00000000BB01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578779Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578778Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578777Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578776Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578775Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-821B-609D-8251-00000000BB01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578774Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.754{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-821B-609D-8251-00000000BB01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578773Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.755{E1BD9FC2-821B-609D-8251-00000000BB01}6040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000578772Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:33.790{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52932-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x8000000000000000578771Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.207{E1BD9FC2-821B-609D-8151-00000000BB01}47925956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578770Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.176{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=945716C3BDED5EF2AF593A6EE5EB26E9,SHA256=C29A8A11D62C1D59763E59A470267999B1B0237339948F4B047EC4476C1E8E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578769Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.176{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA20C3D90B7314C7D8961EAF72D776EB,SHA256=BAEFEF554FA76DEDAD0D0169F24408F39EEAAAF4779E82C5933DF8E135679655,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578768Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-821B-609D-8151-00000000BB01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578767Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578766Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578765Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578764Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578763Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-821B-609D-8151-00000000BB01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578762Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.082{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-821B-609D-8151-00000000BB01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578761Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:35.083{E1BD9FC2-821B-609D-8151-00000000BB01}4792C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000677028Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.988{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677027Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.788{7B03F3B2-D0C8-609A-0B00-00000000BA01}6325688C:\Windows\system32\lsass.exe{7B03F3B2-D0C5-609A-0100-00000000BA01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96fe2|C:\Windows\system32\kerberos.DLL+794d4|C:\Windows\system32\kerberos.DLL+144c9|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000677026Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.236{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC738379FE116B71D10E930C0397CFD5,SHA256=B1CB4DFBE1E1BD1F7F91181928F2B1903405D25E54E605BD7BFDD2465194C92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578793Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.973{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E741CC3591CD7E2A39D635AA43CBF129,SHA256=F64F9F8390DA1A4595E16D6EF76E94FBD525AD192B96DA46D20F4616E054A664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677030Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:36.253{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=318C78489B50A8223F50EF8C51D62002,SHA256=05BBB2DAB6416A7A8EE921AFCE11EBA611A672A3070DD2904E63904C4E72A594,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578792Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.566{E1BD9FC2-821C-609D-8351-00000000BB01}40806080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578791Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-821C-609D-8351-00000000BB01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578790Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578789Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578788Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578787Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578786Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-821C-609D-8351-00000000BB01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578785Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.426{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-821C-609D-8351-00000000BB01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578784Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.427{E1BD9FC2-821C-609D-8351-00000000BB01}4080C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578783Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:36.223{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=945716C3BDED5EF2AF593A6EE5EB26E9,SHA256=C29A8A11D62C1D59763E59A470267999B1B0237339948F4B047EC4476C1E8E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677029Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:36.103{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=005CE4039B28C9B4CDF6A26F8F19E037,SHA256=2BDF6948B7C00A71F2FE32601304C6E05A01554BB4B3CB05B4652E65C4AE10DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677040Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:37.271{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D00ABF6C755DCAD2A1E1FD1A158C6606,SHA256=23A0DE2FFB84ACD3B72F8EC57BBF7CC8EC923F26C2E236E3390069905FFC9D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578802Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.442{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF05ECBB6C5E253C02B1B63CA4852E26,SHA256=0B9EDB7F368998D644E32FCB44B712BD0966674D91DB7FAB0F246F638BC2816A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578801Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-821D-609D-8451-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578800Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578799Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578798Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578797Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578796Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-821D-609D-8451-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578795Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-821D-609D-8451-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578794Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:37.098{E1BD9FC2-821D-609D-8451-00000000BB01}2684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000677039Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:36.037{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local54126-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000677038Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:36.037{7B03F3B2-D0C5-609A-0100-00000000BA01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local54126-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local445microsoft-ds 354300x8000000000000000677037Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.929{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-18.attackrange.local54125-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000677036Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.929{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54125-false10.0.1.14win-dc-18.attackrange.local389ldap 354300x8000000000000000677035Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.921{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local54124-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000677034Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.921{7B03F3B2-D0CA-609A-1600-00000000BA01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local54124-truefe80:0:0:0:b173:2d3f:cb87:36edwin-dc-18.attackrange.local389ldap 354300x8000000000000000677033Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:35.318{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54123-false10.0.1.12-8000- 23542300x8000000000000000677032Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:37.154{7B03F3B2-D0CA-609A-1600-00000000BA01}1304NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RFa84c415.TMPMD5=3E7F1BFB703F96B8690B60B0AB0ADD1C,SHA256=3E659535DC78BB078DE1141E8E49C00CDD76591C2C6906431FDBD1DF6844129D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677031Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:37.117{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BC225F555D6709EE23BF3B1C14BFCC2,SHA256=E20946FBFD0FC0709D6CE66FF406E8CD1DE7C65AA309587B15D5B8A4E727184A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677043Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:38.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB8BEFAFA20F193622E477405413B8A,SHA256=12833B6E0F56E8945EB92E71213158D312C7F325DA7DD8B924E081E7F54A6292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578803Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:38.004{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC72073DD423B63978C20FFDFD2DAE75,SHA256=6567EA621A58F8A971DA6943660A00B312CE4383A471FC31F13CC7511816C642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677042Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:38.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F9739B35A72B023E0D27BDA478CB8621,SHA256=44BC2083E99A05A73D5AF51C665FA7E2FB44064CBC8DAE8BD2FC91EDC2D4575C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677041Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:38.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B2F0F66D85212A54BC185476011D0FCB,SHA256=F4E52F14BAEFB345E5262D0447B380A79D3E50F580C41D9A77A1ECE63B767338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677048Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:39.986{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\aborted-session-pingMD5=F4B6E454AC9C2B7B1A36103D900A67E9,SHA256=049653DF40153D1DD522B68B55BDAB7DD5F5D91ED3E5425562CDB14973092A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677047Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:39.970{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000677046Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:39.970{7B03F3B2-31A0-609C-522D-00000000BA01}18764336C:\Windows\Explorer.EXE{7B03F3B2-37B7-609D-644C-00000000BA01}580C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55511|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802640DD8C8)|UNKNOWN(FFFFF956C4EB4A38)|UNKNOWN(FFFFF956C4EB4BB7)|UNKNOWN(FFFFF956C4EAF241)|UNKNOWN(FFFFF956C4EB0C0A)|UNKNOWN(FFFFF956C4EAEEC6)|UNKNOWN(FFFFF80263DF4E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5929b|C:\Windows\System32\SHELL32.dll+dac5a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677045Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:39.970{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFa84cf02.TMPMD5=346300475E448CB8C87FA70FBB77957C,SHA256=6E1B0925EC7B732FAB1C67727204BF1339A3240893B5B49D14944A94705CC7A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677044Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:39.317{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59892BE2D4BC42DD391AFAD99FA2DA4F,SHA256=003A53F1C0D7516068180FB5D767F499E0E6D6886C71F89ABC298281ED87BD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578804Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:39.004{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF1FBF1D7F1FDB49F57FB745E65E69A,SHA256=A6A0EC248B376AA241B54DB48E5B9E66829C0920A9275ED1AD3C58E539E5F188,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578806Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:40.457{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d74830-0xb18427f3) 23542300x8000000000000000578805Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:40.035{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB43678EA642F9BD41B4E2E2D037D20,SHA256=016699E554BD316CC0A333B9BD325E8F5A00F37AE29D7CE0A2950078DF775766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677049Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:40.333{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20C38D74C9CE00A07BED9DD572A81193,SHA256=1574DE5A8F99E89AE50DCA584B1C84A41446BD6D135C95094DF8FE0C5D082122,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677052Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:41.352{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37ABC046A42ABCA6BE423F8E8FDB3117,SHA256=F0714EC69BF8A43F5AB9615C106A32A199C67B47AAF10C71E8C337F8C48056CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578809Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:39.790{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52933-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578808Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:41.207{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=860FBF4A076B92F1510E2F737CC0083C,SHA256=5B219AD8D47201E56C512F504066A46E0DACF4FF40F2694038DB40BF1C85F6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578807Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:41.082{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C335D9D9C41566101BECC6E65C66B99A,SHA256=1E698DA1F8FB8FEEF317D3AC9F7C4D450F53053C9CE55D1F7EEEA7D0E6E547FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677051Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:41.131{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F9739B35A72B023E0D27BDA478CB8621,SHA256=44BC2083E99A05A73D5AF51C665FA7E2FB44064CBC8DAE8BD2FC91EDC2D4575C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677050Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:41.069{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=64A4D3371AA6E6CA780D984308872A2A,SHA256=1EB86141748114B8A8549B5B80A1FD2711BE4A9926C0BD2FCEAC1D199A52A4FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677056Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:42.971{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-D0CA-609A-0C00-00000000BA01}856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677055Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:42.818{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=815658E4F74F847661D6B188E7265EEB,SHA256=B0FFAFA71B5312A45D23A7DC184346A8BF1F9CC2FC53C84F3093E43E73C53EC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677054Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:40.378{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54127-false10.0.1.12-8000- 23542300x8000000000000000677053Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:42.372{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DAA6D04519A7FCF9DED600CB786BFF2,SHA256=DC9341A650E5EAAB3F16E3AF771CE95201BE92525566A67D7467438145CCD6F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578811Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:40.071{E1BD9FC2-D2BA-609A-1100-00000000BB01}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-681.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000578810Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:42.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF408E3D56653B88D85E13256A3A7BCE,SHA256=F2D88A4DB0451F24FB212CF5F670211497841519AA383B90ABD681F8109A6BB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677057Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:43.386{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397EF8DF4E48B30C9139CCA8818A6E5A,SHA256=1C19051EEBC02202A9CE583D8A0D51AB2594E84712D035B795C1AE2D6584DD2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578812Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:43.111{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0C708C0C2731715C927F50DC1590E54,SHA256=DE616EEA9CCE45BC12E919BAB913AA378CBE299F809B521BFE2BB960AD68BCC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677066Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8224-609D-7656-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677065Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677064Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677063Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677062Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677061Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8224-609D-7656-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677060Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.985{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8224-609D-7656-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677059Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.986{7B03F3B2-8224-609D-7656-00000000BA01}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677058Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:44.432{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2DEA592901D238A066E21EB59D75305,SHA256=5482CF5BB016389AE715A85986E009295D98EC770474D1BD9434E932E7B06D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578813Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:44.114{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65F7D0FE9161D726E4E23B82A796523,SHA256=B158057A364AC820FF0EC0A1E56F6DFA69B3E0855507D9D7B7AB8172D367DA7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677076Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.684{7B03F3B2-8225-609D-7756-00000000BA01}59288008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677075Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8225-609D-7756-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677074Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677073Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677072Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677071Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677070Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8225-609D-7756-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677069Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.531{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8225-609D-7756-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677068Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.532{7B03F3B2-8225-609D-7756-00000000BA01}5928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677067Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.451{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CEBB3034795839386AA84C784E823A3,SHA256=5B3A6FB4CC9C3C975FAB00C05E8CA1238ECB5188349384E2E0EF10A140ECE2A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578814Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:45.130{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE7BF86A06DE99D4FA8DE32385964DB,SHA256=4102B81BE5C880698D6C8151050E266EAA062266F6A97B3169548ACD3C9C81A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677086Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.467{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DFD3F48B229C4FDD2E2EFAC9529EEF,SHA256=39272C200F5051B850A5B1FB704E5B0B846ED755F3DFA5969A6ADEEF4DCE99FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578815Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:46.145{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A288CE8BC7B8BFA966F8C251B60F9D51,SHA256=8062D3A131934FBD79DDEF4B4AF84CC41836F62F2D31F57D3351D237F0E1DC1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677085Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.151{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8226-609D-7856-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677084Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.148{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677083Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.148{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677082Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.148{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677081Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.148{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677080Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.147{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8226-609D-7856-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677079Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.147{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8226-609D-7856-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677078Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.147{7B03F3B2-8226-609D-7856-00000000BA01}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677077Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:46.030{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0A31F64BFEE6034DD06C8727DA65ABF,SHA256=37C6309CACDDF37675E2EDA5AB823E3FF40F78E9B94AD2EA97DB8C2334902886,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677107Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.797{7B03F3B2-8227-609D-7A56-00000000BA01}74845808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677106Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8227-609D-7A56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677105Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677104Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677103Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677102Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677101Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8227-609D-7A56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677100Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.613{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8227-609D-7A56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677099Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.615{7B03F3B2-8227-609D-7A56-00000000BA01}7484C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677098Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.513{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E740AAF4277D9945754020BE377E14,SHA256=A891A2644E3A81D3C4EB7255C690CA11C22B1F8C8C70A823BCA332EEE0613265,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578819Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:45.713{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52934-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578818Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:47.146{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D84452E2B3BEE3DC409ECFB25802FCC,SHA256=1BBDD3C55A47002ABEB87C753BF07DE897D954EB6F4B4BDD536DC5C92CF3FB5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677097Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:45.392{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54128-false10.0.1.12-8000- 10341000x8000000000000000677096Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.267{7B03F3B2-8227-609D-7956-00000000BA01}29647980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677095Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.167{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39F1A25731CA797CE42E83CDBA2F1FC3,SHA256=4FFC0516FAB8EC17DA1AD8540B58DC8B5F8383929024B3FB795A60D655E8E7D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677094Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8227-609D-7956-00000000BA01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677093Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677092Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677091Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677090Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677089Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8227-609D-7956-00000000BA01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677088Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.114{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8227-609D-7956-00000000BA01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677087Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:47.115{7B03F3B2-8227-609D-7956-00000000BA01}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578817Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:47.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09B6B8B376DAD41EA976C4F4AC1C4EA,SHA256=0D83F7955429572F70E3C0D469541B427252FC61ECB59ECE962A44C3E5B6C891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578816Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:47.084{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1336EF24D586B1874A53789377DDA0A8,SHA256=7E55B2A3AC66F8D6C473A785C7FDD683E56D48749033F9EBFEFFD64D6A05E11C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677109Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:48.528{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC75DA70DE4BF2DD5ADD3FEA06EFFEB,SHA256=37C1F95777D9FE22B1BA36B152AFC9F2A52ACF1A9A9C29ECE3518A798843DDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578820Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:48.162{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1DE3C53BAD7DF040E63FD7C0497C05,SHA256=EFD610F191558BC895A02F8E75679BAB2CC3B2C744C2925EC1D35074409A749A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677108Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:48.297{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5946466A5568FC450B73A5882B10C825,SHA256=6EF3DFB9D6AE23E58523344E6E1FF8CE23A326563C9F3D006B1350670C23E56A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677110Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:49.544{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C182C65DC3AD9FDAB9B1211F413413,SHA256=E5810FDB910C9C9EEAEEEEAA38E09F2CF5616F903C7FD3E5E1AFEFC87F8D7F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578821Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:49.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE056E971BE4B28773AB66039CD2259D,SHA256=6602994741251DD2C51B484FB878A9C7E1A3D809EF818479452DAB9B0DF3F857,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677120Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.909{7B03F3B2-822A-609D-7B56-00000000BA01}26283296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677119Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.745{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-822A-609D-7B56-00000000BA01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677118Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677117Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677116Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677115Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.743{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677114Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.743{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-822A-609D-7B56-00000000BA01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677113Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.742{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-822A-609D-7B56-00000000BA01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677112Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.742{7B03F3B2-822A-609D-7B56-00000000BA01}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677111Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.547{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=347F1E2A433973F2948A750F8A3D0DA2,SHA256=3DACBD0B7DF54E2121FFE6109DAB533F69A825A50ABDFB77ABCDDEFAC5F0D7EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578822Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:50.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA66CBE5B19831561D831BCE3C1CF676,SHA256=EC2539A8D7E85FB20E961A854793BAEEDFD39D1D9F76C2B38140DC01DF941AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677131Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.594{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79052CBA4D2C471CC1C71B95F43D381F,SHA256=B87F51330B79A309967B453BBE94A0EC57CAEA49899349F20BA979A1361A17CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578823Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:51.240{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DA3934E19DAD7D1A646D60E94B36E89,SHA256=37A78F4E5F5477C2D8813F75046DE9F3AB70A7EDE1AB39E7020E0F0587B50AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677130Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:50.424{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54129-false10.0.1.12-8000- 10341000x8000000000000000677129Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-822B-609D-7C56-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677128Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677127Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677126Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677125Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677124Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-822B-609D-7C56-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677123Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.425{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-822B-609D-7C56-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677122Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.426{7B03F3B2-822B-609D-7C56-00000000BA01}4368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677121Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:51.194{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7259AD72312C3D14FB6E948B603ACD3,SHA256=71CC101FDD814233C868D9D0FFF5DEA129D0E7F1A97EE1E78276FAE667D5A77B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677133Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:52.609{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D4FD57E5A1B0CCA0ABBB2FD23D9049,SHA256=E0D6D0D6D4B606C39C92C893713DDE960D38CCD4E290A35E47B7350077BE079A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578826Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:52.272{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305444C676EE2C4262FDEF895B5B3A06,SHA256=40362539AACED5684126E1ED57D996FC6CDFDE25F829FE37DAF4051879F2A530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677132Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:52.444{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA0C17B45CB1CC727D31C6ACD145AC91,SHA256=A993C8903D47348A3E51C6C04149B0372A7DADB5DDA5CB2D51CAF1F27117A34A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578825Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:52.178{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F695DBE30902FE51B5A571551D13C82,SHA256=D951B6EA93FC9369BBD09F23FA112706A43E18EED580E9E602DA10131B3F3623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578824Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:52.178{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A09B6B8B376DAD41EA976C4F4AC1C4EA,SHA256=0D83F7955429572F70E3C0D469541B427252FC61ECB59ECE962A44C3E5B6C891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677135Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:53.640{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4174A1A7140D3D66EBC7461E090706B4,SHA256=309E3EB124026E9B96415564C98CFA7C52C0A11990AD4EBA39A131DA7618FC1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677134Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:53.624{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5604406C3ED850A0FBF56F22B3C15EBA,SHA256=AF5E6B106B8C3203CDAB2C19C6B37DD3C712BB73528424F12DB283863FA11BDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578828Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:50.730{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52935-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578827Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:53.272{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C0789A751E287212319B4DE73EA194,SHA256=A9876D57677E3DFD72330BC15BC4157EB2A17E5AF2C7BBB50B6B8E81514DB1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677136Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:54.641{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3ADC205A81D43403EE6A750F49C97DC,SHA256=33C1E3DD763920B40BD1B40A893E5479B336D660C59E3C57D6A5EE096ECA2050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578829Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:54.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C5B41540723E2C28C78F7470C55760,SHA256=431C96C7CDF112ABEDE731AB5B6B5E7F74FBBEC6996B4C1883FBAB6E636F84D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677137Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:55.659{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8BCD3EC5D6903FC21177A328778723,SHA256=84256A98C25DC287AA301538061069323469E17B629C2E60AB5B7C13B576E312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578830Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:55.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82124E2416332E8E09FE2722D8DA49A,SHA256=E6627D5D3B6C92DD7F915289C4873FFB72444F8FC938470F82912F3E8D86B0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677140Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:56.673{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92F699A2D671DA78A115A2711E2B46F8,SHA256=86BE4DC8857806809087E0A0BE4DBB5117922A4E1424F594E4EAE86FCB9009FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578831Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:56.303{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CF3CA74B78445ACEF90EBF78970B12,SHA256=545995A0BEC5B33EB07CB708920C8B3162FF3615E466A1C95415FE1DF7D66F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677139Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:56.240{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DB69C468B5BF7B1924C2A3FCB51B357,SHA256=2F1460CCDBE01B7B04CAA2FC260ECB4A21DD3E11480FFD631D9AAE5E0C6221E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677138Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:56.037{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000677142Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:55.467{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54130-false10.0.1.12-8000- 23542300x8000000000000000677141Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:57.674{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F76DD3A0318C4F5A8DD9F5516AD52E,SHA256=644DE8ABAEBC18F734C9B9864CC561CCD0A517EFCFCB561E37A07FC01EAD37EF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000578840Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:57.647{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x8000000000000000578839Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:57.647{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x8000000000000000578838Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:57.647{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x8000000000000000578837Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:57.647{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d74830-0xbbc30c45) 13241300x8000000000000000578836Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:57.647{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x8000000000000000578835Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-SetValue2021-05-13 19:46:57.647{E1BD9FC2-D2BA-609A-1300-00000000BB01}380C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x8000000000000000578834Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:57.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=890135FDC5EDA98E3341F3FAF0C57E38,SHA256=FF2E84E5C18C3869A75D7EFED57DA51D2E823D843371F9F595803629939F9C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578833Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:57.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB305AF574FE29FE5AB1935178EBE86F,SHA256=BE0A9C532DA59F0A69332AB57746D42CEF1BEC7A9EF5135C3FC00E661E4CEB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578832Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:57.209{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F695DBE30902FE51B5A571551D13C82,SHA256=D951B6EA93FC9369BBD09F23FA112706A43E18EED580E9E602DA10131B3F3623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578843Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:58.459{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=890BBB405FA3C6F4365825A207CB523A,SHA256=2D40B628D542B6DE95163694E1C94FD80A8A4E2F42ED1DEE152D3E2CBAB99BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578842Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:58.459{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1723D5E638EE8943EE367D281EB8E3B7,SHA256=27E66DA6A3AD1BCF822C09FEFD97495C07C5CAD5491D3464DFAC03937959B7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578841Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:58.381{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE03B7540DAE3F5DD3EE20913FA7CAF7,SHA256=917D43E6EE774CCD46A42F66BC36D122DA7C9D5DBA962020056ACBC96068FF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677143Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:58.721{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C914480E978AE3E321A5D27E78396D4A,SHA256=7D3B848EBB7F01C4E20F0543002EE06DE248DE38FBC5FF6095276DA49C16F081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677144Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:46:59.739{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DE5E4FC30ED897D7ED8580DA50F5B9,SHA256=241D3086B3A6B4BB943630D54DE6C73D822711F0AE0B0017CF036AFEB29388C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578845Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:59.428{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFA6CCE4E36F3678D179989E0AE3C79,SHA256=7217C5EED85B88C34CEEB4C8138F2741FC87CCE8904B116F40ECB33BA7B785DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578844Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:46:55.839{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52936-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000677145Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:00.757{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED60D8DC28AEF9606B5AB0221BEDA77,SHA256=75B32220F56601D3B27F1ED1E603179795BF7129337B94B7745FB61B96F1821B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578846Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:00.459{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EF57795D529AC3228E328A2EEAF857,SHA256=639D3007B46C87D373FA41AE2F51CECBF4967EC5C1E5BA918CD9670245B5E7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677146Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:01.772{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA28F864715E44CCB8EA3739F1253335,SHA256=AEA9B041C09465A97281F57D7A1248A89B8B55942AEEB78ACDEA78366500EEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578847Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:01.490{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3A1BFBB281662546E583F8CF9F7E13,SHA256=08CBD0BC8978D79AA0783DA2C24BF15493576C6CAB654CCA8D00B5E2CB6CC63A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677150Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:01.483{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54131-false10.0.1.12-8000- 23542300x8000000000000000677149Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:02.787{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD92CA762473F29C4D0DF0DA49E2C96,SHA256=AD8DB07B47661CE9EE05C0BD5ABBF699F49288C7C2BF4479300D8CD02C75DD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578848Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:02.522{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5990CDA3357514C3ACF1FE0EC2ACEE56,SHA256=716669F8DDE1934E054BAA69D42CBCA9728D6377B09945530E17E0D7CB6CD7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677148Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:02.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69506403621B46FF08F40DC310ADB4F5,SHA256=B11142AE20252B57CDD13E998B0E10ADC6C07E29EFFCB7CD2A29B2ACF2D0A3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677147Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:02.256{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E433EB464B8B35C6D99D7946686B2C04,SHA256=916BB0C7CEC29DBFA1601E1F560B653F8ADF0D5D9718765A4B9F48EC16D2EAAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677151Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:03.801{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19194A158BA0B17B53A18E22E4690EC0,SHA256=E10A1DC904BA13AD29C179F6AEE757269445316480985B3D3E6129B0DE8A7DAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578852Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:01.823{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52937-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578851Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:03.522{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28E7A9D2568FFD4CC50C61F5D0551E0,SHA256=A4E09AFDEE9665AE8DF150B9B0BB5C7AE7AEA2CA4465868A649CC7A903142E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578850Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:03.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522FB15D83A24668BA3C95132D552031,SHA256=3F1BE2B28250C15BDD135D3C744E349D8DFDCD75C086B1E7AE251994D1920BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578849Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:03.194{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB305AF574FE29FE5AB1935178EBE86F,SHA256=BE0A9C532DA59F0A69332AB57746D42CEF1BEC7A9EF5135C3FC00E661E4CEB58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677152Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:04.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E86B5F13D616C7D8934686A7F9D524,SHA256=45620136D277E59A0F9BC1602962EF7C92B44CE4C95CE97696D2483BD8C306B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578853Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:04.537{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABF4C7ABE571F27E6B2DA5BE9D587E59,SHA256=8C22898118236CE5C5027CAB59BCC3BB0C4024226B07C5E414AB3D55CB5CD728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578854Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:05.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ADF51672408302BF5FD476B5494A31F,SHA256=90BB868D8685EFDA20FA45FD9D275D5788F9C664723C2D660D2E8851E39EA801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677153Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:05.833{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D787178295F551CADAE41C95081ADE,SHA256=AD70CE4D95E17E5B588BA23B761E76A9A6BE0A8AC66A2F6761664AA823B07C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677154Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:06.851{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54499970B39FDE61047B88DBA4BD254,SHA256=841FF2EBC13FD116B77C4176F9AF55853B2ADDCC4F20DD3544432CC6D5DA61E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578855Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:06.553{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4151772979A246918E4CD1BF15374983,SHA256=F36021B17FD4B071DC93E79B94368DF178385675E5936ECBF6875B60CDF2D171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677157Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:07.881{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EF16665A54120D5B850B8BE67E48F8,SHA256=963980D6439E19D4F150C3F87CD86ECDE06579C396197E3ED2D1770BF6AB3E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578856Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:07.585{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441D55BD600783E47BA400ADA0B07682,SHA256=B0EAECD3554422435A1F2D4C3DB949C1F0B251ADAD5087E18A7DE63BDBC2B8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677156Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:07.796{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA3F9306C4F7C188B4474CD9E0E0C07,SHA256=B8559EB2C0891700002EE4A33DAAF461E94C874EC3C747837839ACAAB626126A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677155Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:07.796{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69506403621B46FF08F40DC310ADB4F5,SHA256=B11142AE20252B57CDD13E998B0E10ADC6C07E29EFFCB7CD2A29B2ACF2D0A3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677158Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:08.895{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD18AADAB3B8C5B11B6FFBF6A751F643,SHA256=1931800383537A365D431EB83268D97BF93005EC4D79696A58C57B18230F491B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578857Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:08.600{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E851EEB21A74216093EEACF6DBF52C2B,SHA256=FFC1ED8F8127F4446E7AD8066DF562FE44CEEB6DE59D723C36CE0D7AF5FE63CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677161Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:09.909{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E037D2CFFF53D9BD6CA001F25AAD13D,SHA256=DE02A786356145504889F9A25C5CA2736786BAA61657C8DD42B9E098089F384C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578861Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:09.632{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D059A48ADB735D17EB0E60CD5AB21548,SHA256=2CDCEAD58B720BA96A820F11E9B2D715EB4B6B3262E6C7B25999C955B993538E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677160Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:07.458{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54132-false10.0.1.12-8000- 10341000x8000000000000000677159Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:09.510{7B03F3B2-D0CA-609A-0D00-00000000BA01}9126412C:\Windows\system32\svchost.exe{7B03F3B2-80B2-609D-3E56-00000000BA01}7476C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+b157|c:\windows\system32\rpcss.dll+7897|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000578860Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:09.569{E1BD9FC2-D2BA-609A-1000-00000000BB01}972NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E14747ABD4D17E603DE22CCF2854435,SHA256=2DD063938254B409F8A56AD77FB9B5FAB5913FFB1634E4AFBC115DE10F89088D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578859Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:09.085{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7399E37BA78C47AF6C81E036F292A43F,SHA256=BEF658130E4EE851077BC8FFA05C3038709F360FD52278B9B23F40010C240D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578858Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:09.085{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=522FB15D83A24668BA3C95132D552031,SHA256=3F1BE2B28250C15BDD135D3C744E349D8DFDCD75C086B1E7AE251994D1920BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677162Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:10.909{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EF9A91DD4E3174E990D77A0CFAEB61,SHA256=599E42D75002FADFB9FF8EFE5D530CB57D4F83D9DC22EA700F067D10C55056ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578863Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:10.663{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F86C2CAEEB738664EF0D73AF8196231,SHA256=8D9DCD427F419F69C638FF8C3D1C76CBBDEF9B9480777E2D0535F50EAB08A1F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578862Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:07.699{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52938-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000677163Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:11.926{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A5C66D37540632D6D44C6C4F366407,SHA256=7FD5F0E1D21CF4C36790FE5723CEB6CBB4F0E4B267D68FE1185EEB8B9CC966A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578864Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:11.694{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233B08DE411672A7B658BF44F4E3F735,SHA256=5321E1448473BC25F583064D48BD754B00380FF2B347A5CE9D9A72609C6811AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677164Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:12.945{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F27FBB679DEA76CB111768E6D9A009B,SHA256=F3091B754B007C5A34F18C2629BAF2E1CF27BC74CBAC2AF3F4303F86D54E24AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578865Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:12.725{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DA850F456CB6A7EB72FB37B7613F3F,SHA256=FD080570E6069346DF847C8EDFA2A5E2FEDB96CDE7275A0DC6CE6BDDDD0BB35D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677165Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:13.960{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD35803287A0AD8454C17D28E185EDCA,SHA256=D1B448FBED8ACCBDA5175B2A66B404A74E1B0079058BB5E6DD88C63CE48E416F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578866Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:13.757{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5EB304617EBE847EACF94D244F5447D,SHA256=D08E46C9CA72D030A183D5DD405CA0FDDC52B0102B910CE5CFE6F3E6172EBC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677168Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:14.990{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667EB83DD9BA7569994D830E4ED20C2C,SHA256=FCFBF4B9F3B126352CF5EB17B73E2C0ADD535BD4562F5BEB19E60B0406E8E8CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578869Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:14.788{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C050317FD49E80C3B1A49F10565B7D9F,SHA256=9774F071CFB6A5A1CA206CD0932B2AF6DE818783B1A41B0348F754D654A97CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677167Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:14.128{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E36A7B862F9D7337C885EC0132B1C66,SHA256=D945B1CF157502807114F35AD7EE47FDA6FFE791919C49E25D67DE042EEAFFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677166Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:14.127{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA3F9306C4F7C188B4474CD9E0E0C07,SHA256=B8559EB2C0891700002EE4A33DAAF461E94C874EC3C747837839ACAAB626126A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578868Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:14.132{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0EDD648B743565B785B6F60E6CB6E00,SHA256=D04ADBF01EADF2C4E1C8134EA8A3CBFA5184D1E709B8AEDD340B3819DDA7C6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578867Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:14.132{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7399E37BA78C47AF6C81E036F292A43F,SHA256=BEF658130E4EE851077BC8FFA05C3038709F360FD52278B9B23F40010C240D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578871Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:15.804{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EAF20CCDC5A56834105809F75B0D91B,SHA256=FB3522359547ED4108C5E4733FD2CEA5604614366376AC1B7F4AD3420B49A7A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677169Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:13.352{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54133-false10.0.1.12-8000- 354300x8000000000000000578870Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:12.714{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52939-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578872Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:16.850{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFC6929E63ACA4A3E31F3AF40547F883,SHA256=1B72AB4C95DBD417BD2F0D38E15BFA854AF09441F0E97240BA72C60A648CF28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677170Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:16.041{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5ED3C5F8F53AD7B53276D820326FFF,SHA256=419A92C6A98B2023AA58FDF3574BFAE52D7407FD7B8C1477B80460BD03B4CE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578873Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:17.866{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402258FE8A28779673E1832BD16D019D,SHA256=D62E1735B7477090B7032FCB299B66DC65D974CDA09282736CA49178517C7093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677204Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.122{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677203Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.122{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677202Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.122{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677201Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.122{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677200Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.122{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677199Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677198Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677197Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677196Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677195Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677194Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677193Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677192Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677191Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677190Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677189Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677188Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.121{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677187Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677186Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677185Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31A0-609C-522D-00000000BA01}1876C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677184Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677183Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2B00-00000000BA01}3028C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677182Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677181Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677180Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677179Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677178Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677177Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677176Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677175Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.120{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AC-609C-622D-00000000BA01}2984C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677174Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.119{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677173Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.119{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677172Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.119{7B03F3B2-D0CA-609A-0D00-00000000BA01}912936C:\Windows\system32\svchost.exe{7B03F3B2-31AD-609C-632D-00000000BA01}4184C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677171Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:17.072{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA149BDDD7068E8BDDF5D60233498ED,SHA256=5EF2C4F6F8F66DA73072EDEEF0CABB86AA10E07ABE90BA91B8CAF4FECF772D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578874Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:18.913{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9388FB5A95E1072883AAE0416132AF34,SHA256=B80C6E7ED1C83E6CFDC9FF3205A23B305C3F6DA91D606999EA2D1992208714D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677205Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:18.270{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44C960FF37497840F16D3576EAEB4A7,SHA256=38A5C0CCCCF19E663BC9F66563C6D9136844049E85CA18F01FB2F2A24E3223ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578877Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:19.944{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB997CE5D7A62FD342DC2AE09A4AE86,SHA256=B7E0DE9D05A99CB3E25B8FA51DE0539CF759DA8AE2ADD41A6412A009DCBFD793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677208Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:19.285{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF60F756DD3F9DF322343BF597A9D8E8,SHA256=3418B537B958DA5C4C325FEAF83046CDD9CB35F8BD43B9B1304544D63B42C645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578876Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:19.147{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85FDA3231E592BF285F58BA11B58D8AD,SHA256=AD41CC426F2DA99F5B254D4E67C38E6489EE610873C62D80BAF3BF31403FB94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578875Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:19.147{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0EDD648B743565B785B6F60E6CB6E00,SHA256=D04ADBF01EADF2C4E1C8134EA8A3CBFA5184D1E709B8AEDD340B3819DDA7C6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677207Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:19.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01CED6A4AAD6E53C253AFA4CC53DCCA5,SHA256=A1C264B11141601BA3B2977942C7D10C6188D1A5F8427025EA5962DBA1BE5974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677206Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:19.169{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E36A7B862F9D7337C885EC0132B1C66,SHA256=D945B1CF157502807114F35AD7EE47FDA6FFE791919C49E25D67DE042EEAFFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578879Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:20.991{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD1CBFD0A4B24A2002516E7B6F8604B,SHA256=3876438657100DA16138FDAC886E18F59AA0DFBEC25A7071EA4AF58DEBE06AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677210Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:20.299{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50134A9545994AB118ED17D6578CAA7D,SHA256=2AC1ACFAE18ACAE7E4D9699D62618901C1D07AAD032799E2C2C7D8A177CC43EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578878Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:17.761{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52940-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000677209Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:18.400{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54134-false10.0.1.12-8000- 23542300x8000000000000000677211Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:21.316{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39D3977ED39D0B15AE83763E8A40C4F3,SHA256=3A4D6240C38AB6078AA93E60E524D51D304163FC58753B378C39714B868362C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677213Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:22.816{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01CED6A4AAD6E53C253AFA4CC53DCCA5,SHA256=A1C264B11141601BA3B2977942C7D10C6188D1A5F8427025EA5962DBA1BE5974,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677212Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:22.334{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35C17E4872274C325E597ED25B653E9,SHA256=B6959665B7C17EC224870A9D77E03218F59291F033D14CF58053D33FC41D6069,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578880Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:22.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A523D05C300F0EC036A9B64B76E02FA8,SHA256=845820B067CB270C12980BE1C5E603B479BA47A62DC711A4DBB48B2A15F27F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677214Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:23.348{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638DC63998FF4553575D343D46450BD8,SHA256=07E4FCF0E264B7867054CBE80C74EE011EA3A4F1D27FF97B019F759CA4CFCE40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578881Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:23.022{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7BA03590F287A0D85E53B14BFCCFE4,SHA256=E73975424AEE391D2D02C076C189B6773F1C5710FC116BBE10B09AA97C4310C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677216Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:24.363{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C780D892A0A4A4945B7B4C332191E6,SHA256=9228F0A42136AEAD69D61EC111B6EFBBD70AAAE359FC7F4DB25A0DBE5E6712DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578884Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:24.179{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B24F372F24A5B4C3B6461F7FC7F40018,SHA256=484AF1C330727D8B20B98C770151314C36735AEBF99D042F3B976D61226E4BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578883Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:24.179{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85FDA3231E592BF285F58BA11B58D8AD,SHA256=AD41CC426F2DA99F5B254D4E67C38E6489EE610873C62D80BAF3BF31403FB94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578882Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:24.023{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54574AEE16B8D48238527F2C4E20F5FC,SHA256=D092D74C12CA7498A0D99CD75AF7663804BFBA9D8744FABF2DB129B3C706431D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677215Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:24.294{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9585589672F535540BF346F8BEA4EC79,SHA256=1CF6DD3404D436DB861701F46D45B131D11248D31E4C8DEEAE2002E3E633EC07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677223Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.793{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=F79A27FEB1C3BFA9986C564D056566DC,SHA256=19DB4CFDF1D0C243581C29B2CDB985EDA13D3E0ECCA8A2210A040849465537A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677222Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.793{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=6D3820F56AAA89DA1FF0E6D7BA9EFA26,SHA256=1CD3C6949606DA8DF8A36ED07352B45CFC15ECAA2F831BBA856FD4A884DFF475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677221Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.793{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=71C420282ACB2C97D5F0B3592474DB99,SHA256=2D841FCDD2E8DE24A4DC91E6C0E53B2DD3B3D484E624DD743863A5E2407B98A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677220Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.531{7B03F3B2-5120-609D-3250-00000000BA01}1532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677219Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.412{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2940C7A1E6508D07847049182650BD3C,SHA256=54B02DBA4A0D96877C3A0F1C31877AF86CEA81C3D1B3037F78A1E61241493FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578948Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.835{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A49C7101428E3254B77319B379A6935,SHA256=F946BABAE9C943CB0282B89D903B39149E4C5EBEEC5BD6C8E8689EE62325B4C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578947Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-824D-609D-8551-00000000BB01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578946Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578945Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578944Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578943Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578942Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-824D-609D-8551-00000000BB01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578941Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-824D-609D-8551-00000000BB01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578940Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.804{E1BD9FC2-824D-609D-8551-00000000BB01}5208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000578939Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578938Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578937Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578936Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578935Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578934Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578933Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578932Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578931Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578930Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5051-00000000BB01}4352C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578929Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578928Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578927Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578926Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578925Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578924Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578923Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-817D-609D-5151-00000000BB01}4476C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578922Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578921Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4351-00000000BB01}1760C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578920Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578919Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578918Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578917Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578916Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578915Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578914Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578913Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578912Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578911Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578910Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578909Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578908Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578907Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578906Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578905Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578904Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578903Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578902Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578901Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578900Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578899Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578898Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578897Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578896Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578895Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578894Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578893Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578892Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578891Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578890Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578889Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4251-00000000BB01}3932C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578888Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+ca3e|c:\windows\system32\rpcss.dll+ba7a|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578887Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.741{E1BD9FC2-D2BA-609A-0D00-00000000BB01}792812C:\Windows\system32\svchost.exe{E1BD9FC2-8179-609D-4451-00000000BB01}3216C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+ed71|c:\windows\system32\rpcss.dll+b954|c:\windows\system32\rpcss.dll+ce2e|c:\windows\system32\rpcss.dll+a853|c:\windows\system32\rpcss.dll+42251|c:\windows\system32\rpcss.dll+42382|c:\windows\system32\rpcss.dll+426bf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000578886Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:22.792{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52941-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578885Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:25.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD36BC31D01A98A09356D77323C09ADC,SHA256=3A3E2E084E2E6028C8831D957C4E0CB857306A0FBF7A5751F564624D693CC222,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677218Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:23.493{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54135-false10.0.1.12-8000- 23542300x8000000000000000677217Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.331{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6CD64E6D37686F2338C5480D5070050,SHA256=B9D29EF6DE30A93D87C2338A468B369B46D07B7A59A459541807091ED12B84AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677227Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:26.561{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE19174E2E3B8B3E8B2B130E66D6BA17,SHA256=AAA1D29717CE0257ECCFDB15739E0EA644CBE49AFA19B94ACE7BA62880BE8659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677226Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:26.430{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5396232DE75A4DBD5689B1B77DD86DC3,SHA256=311395CCB5A9F370367124259C3E872D566186B429F4ACA086EAF1833868122D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578959Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.829{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B24F372F24A5B4C3B6461F7FC7F40018,SHA256=484AF1C330727D8B20B98C770151314C36735AEBF99D042F3B976D61226E4BA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578958Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.616{E1BD9FC2-824E-609D-8651-00000000BB01}38565524C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578957Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-824E-609D-8651-00000000BB01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578956Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578955Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578954Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578953Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578952Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-824E-609D-8651-00000000BB01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578951Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-824E-609D-8651-00000000BB01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578950Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.476{E1BD9FC2-824E-609D-8651-00000000BB01}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578949Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:26.054{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24EF184214AF0070F66CD6A1D7B7D43,SHA256=7D137BF8F6782D2960509014BF2AD1EA80C4DFCE8819E482DEED3D7A6401BBC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677225Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:24.555{7B03F3B2-D0C8-609A-0B00-00000000BA01}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54136-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 354300x8000000000000000677224Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:24.555{7B03F3B2-D0D7-609A-2700-00000000BA01}2888C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local54136-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local389ldap 23542300x8000000000000000677230Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:27.829{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E644E9F8495F9545827FEFC94DBBEA2,SHA256=B38A1C2F2588F16DB9B688F2C1B0E18BD5C516B0696B40F55CFCB02AEC943188,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677229Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:27.445{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF0F29EF1AB62FE54A2D8DD79359ED7A,SHA256=04D8D8A8FF55B3B2B96DC0CE3A199B98A06EDEF5466E39713A96AF7A9AA8B939,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677228Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:25.754{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54137-false10.0.1.12-8089- 10341000x8000000000000000578968Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-824F-609D-8751-00000000BB01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578967Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578966Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578965Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578964Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578963Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-824F-609D-8751-00000000BB01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578962Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-824F-609D-8751-00000000BB01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578961Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.142{E1BD9FC2-824F-609D-8751-00000000BB01}956C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000578960Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.063{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68454F44727EF2DF6F8FDA4D1A33262,SHA256=69C98E32E59339AF050152BE0AA35DD6D26529B14A24547422693F5970E42A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677231Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:28.459{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1629674ACB53F46ACF8BDADF568840,SHA256=8350C075ECEB77F38E2347182B7B5CD0D03D4EAA228043047AD0A3090095AB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578970Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:28.142{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7535A0749CA17F6E1F734428D5B45A8F,SHA256=1F75EF21344D2E4A5AE24904451D24F8203D988CB27BCDA9CA65C79DDCDAF356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578969Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:28.079{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C79B1116ED7C05A5E1CE5B104D304F5,SHA256=9ADFBC0481B3018592473576561C03AD4D29C03CFB99750D725D256CC8932EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677232Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:29.489{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D484D045812E8771830F758C593E14F,SHA256=92AB83B7133CDA78B3F4674589F5AF07E22A7459E969B55D9A039B9E717483D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578972Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:29.188{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8EBE9301B6541166751662CF05BDE8B,SHA256=016F3BA7FF5634C574577B19B82889843BC2736D53C5C1C1AAEEB9610B0975E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578971Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:29.095{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD12ECF180B3BD396ABBA4D8D23AE94,SHA256=EE694D32E84E74B74AD2D38CBD8E483D6DC77E137224537CE77A53B8224EEE92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677234Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:30.506{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C48EE74B16A99199E4CFE666F828BF,SHA256=5595FD66FB872B5FDD73A0541A159CD9E2413B0AF60279068BE2D42DF46557C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578975Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:27.802{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52942-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578974Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:30.126{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2FE2F81C5904C6A205FFECA04474117,SHA256=EB4EC6F9142515C6A77AEC69FBFE9629AB7C417B54ACA3208DDCC410FE192D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677233Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:30.057{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73C254628778E428611A99A2762A5990,SHA256=13E8550133637B75A95E0FE2E530F99B66062A4640F99ABB228B4F4CF905C582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578973Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:30.079{E1BD9FC2-D335-609A-9D00-00000000BB01}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=A2082595039927B052D0A852CA90372E,SHA256=080CB1C21D6F7727A34C0B5DE8F2E2C25D197CB9222B4B86A86EAB5C70676C00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677236Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:29.288{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54138-false10.0.1.12-8000- 23542300x8000000000000000677235Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:31.527{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B800AB17FD9FD96B82B2BD78B6432E7A,SHA256=3837B927AF6F60C0FBD0D16BB415D7DF0B824B2F0EA265AF2BDD30743DBDB78B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000578978Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:29.693{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52943-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x8000000000000000578977Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:31.157{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5C4274FD3B6DF2D5EEE0B3D5A97557,SHA256=6CBDA2921D332D4EA71A0696E2892AEE6CD170AECB4152308DCF85D731A5C340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578976Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:31.063{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D19359AF693612B6D8D4E87136820CEB,SHA256=A6889ECED150ADCCE744D60424F0809D312AC7E379AC1AC919EBC70157472D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677237Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:32.542{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE89BD2FDE0BC82C7AAB6450EAD97AA,SHA256=86E8E197586C897933AC2E5EC4019C113D7D252B88FD8B60CD2ADB80A27A1FE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578979Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:32.173{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EEE20A48FD6B9F2BB4D81B89DF2A8FF,SHA256=0AFE31B1C049B838356E58CCA49B59EB8856EB002E2E4BE18C62EDED5356C3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677238Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:33.557{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E125AC71C397FEABEB047805658E9A18,SHA256=6EFE5BECA24378F8B7503105E1BA68F7AE65CEBF177E96D10439985297315CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578980Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:33.235{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4E75AA6A9802F11EAB65E7ADCA9415,SHA256=A529FD52883621CA92D483C22EAF40A4BEDBC5B9A5657DFC830209FACBE49F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677239Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:34.571{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8195337C08E3E31E66D88552DA9B2D65,SHA256=BC1D515AEED758B623B5EBA34787BFBA0C8984597445543EE4AC9929B54C80C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578982Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:34.235{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E76BD6FFE2E6FC5B09B5D0FC13880166,SHA256=F0734CC2326018BB973A00A245A9C13AAF941E1161531232871143730E01421B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000578981Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:34.235{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDEDFBC8E64592B0F4245B10DFF680B1,SHA256=1B7A2AB826E7902DE3259D85573AF6F9C17AA7C8827B59543B8DC48E0B63CD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677240Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:35.586{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4105E5F121EBEFD5A8E833CD517576DB,SHA256=5B8C9FB7298C2F4C9F4ED49E2657BE7C7C8217B662834D39292CB11233D62750,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000579002Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.892{E1BD9FC2-8257-609D-8951-00000000BB01}18522628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579001Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8257-609D-8951-00000000BB01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579000Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578999Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578998Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578997Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578996Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D2B9-609A-0500-00000000BB01}412988C:\Windows\system32\csrss.exe{E1BD9FC2-8257-609D-8951-00000000BB01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578995Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.751{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8257-609D-8951-00000000BB01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578994Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.752{E1BD9FC2-8257-609D-8951-00000000BB01}1852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000578993Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:32.849{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52944-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000578992Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.267{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694FD1B58AA6C17D46B27AA18B03817B,SHA256=8BA67232F53F1CC05CF3587E25B84C3A2DA68F006382B498CC768C588D09B6F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000578991Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.220{E1BD9FC2-8257-609D-8851-00000000BB01}51805252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578990Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8257-609D-8851-00000000BB01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578989Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578988Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578987Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578986Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000578985Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D2B9-609A-0500-00000000BB01}412428C:\Windows\system32\csrss.exe{E1BD9FC2-8257-609D-8851-00000000BB01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000578984Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.079{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8257-609D-8851-00000000BB01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000578983Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:35.080{E1BD9FC2-8257-609D-8851-00000000BB01}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000579024Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.595{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10368080468CF29FE27DFA05FE8287CB,SHA256=8EE836CC55926704229CB335E6C521783F106416AE83CC792E2CC1CC7519D9FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579023Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.595{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F76462D13D16C0D90B09676E956D3FE2,SHA256=B5ED997E6072F09E40B278281DBD0E5BB940DAD943B0807867F5949F758FF33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000579022Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.579{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-8258-609D-8B51-00000000BB01}4100C:\Windows\System32\slui.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579021Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.579{E1BD9FC2-D2BA-609A-1600-00000000BB01}12123320C:\Windows\system32\svchost.exe{E1BD9FC2-8258-609D-8B51-00000000BB01}4100C:\Windows\System32\slui.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579020Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.579{E1BD9FC2-D2BA-609A-1600-00000000BB01}12121240C:\Windows\system32\svchost.exe{E1BD9FC2-8258-609D-8B51-00000000BB01}4100C:\Windows\System32\slui.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579019Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.579{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579018Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.564{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579017Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.564{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579016Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.564{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579015Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.564{E1BD9FC2-8176-609D-2F51-00000000BB01}39402944C:\Windows\system32\csrss.exe{E1BD9FC2-8258-609D-8B51-00000000BB01}4100C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000579014Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.564{E1BD9FC2-819A-609D-5F51-00000000BB01}57045596C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{E1BD9FC2-8258-609D-8B51-00000000BB01}4100C:\Windows\System32\slui.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+384236|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c99ae323aa8566cc2c0b79b709b48095\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+8491f2a9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d933c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d92ffd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+8486a66b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d4ff6f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83db39e1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d959f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d959f0|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d95881|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d865a1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d93ae3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d93655|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d933c2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d92ffd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+8486a66b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d782a8|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\bbacff3d0ae5f6e457c31cbf7c94d6a2\System.Management.Automation.ni.dll+83d7781a 154100x8000000000000000579013Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.578{E1BD9FC2-8258-609D-8B51-00000000BB01}4100C:\Windows\System32\slui.exe10.0.14393.4169 (rs1_release.210107-1130)Windows Activation ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationslui.exe"C:\Windows\System32\slui.exe" -Verb runasC:\Users\Administrator\Desktop\WIN-HOST-681\Administrator{E1BD9FC2-8178-609D-4063-910200000000}0x29163402HighMD5=6DA00C320273915FA7A6E43A8AA2F0C5,SHA256=008AD5FDB6416DDDDA2851C9E8C45A37F4332394341EC5786C9079851A7A5A1E,IMPHASH=BE6A8F73F7A470237F542B6CFB4ECD5B{E1BD9FC2-819A-609D-5F51-00000000BB01}5704C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 10341000x8000000000000000579012Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8258-609D-8A51-00000000BB01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579011Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579010Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579009Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579008Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579007Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8258-609D-8A51-00000000BB01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000579006Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.423{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8258-609D-8A51-00000000BB01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000579005Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.424{E1BD9FC2-8258-609D-8A51-00000000BB01}5300C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000579004Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.298{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847233EF527CDF7693DD07B60D6C53A9,SHA256=6954798C70804624A9993B29A012494D2644823CC14BF479D63E283FC2CA45FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677244Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:35.316{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54139-false10.0.1.12-8000- 23542300x8000000000000000677243Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:36.592{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D591595728B83977505A0CC28E6B6662,SHA256=8ABB92A8A2A78D65D53C3FA1F13B57C5FF2CD6B252E379D80CF83473D5708890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677242Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:36.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DF29FC63425D767C82F4126AFC42369,SHA256=815C2F25B763786CA5734CC798F0774AE67C21EB6597FD818BCFA17E52E2713D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677241Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:36.085{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AEDD0A10B7CD07BD4285B83B419ABCF,SHA256=DB12FEF77F3F0A8830C932EEC1597EB21B31403D85C37150DFBD11B79B88CDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579003Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:36.079{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1E8EAECE7994929545283046672E3C3,SHA256=09C78157A2B518FF7A17770AC008ECD3058ADC71252DAED37DD8A4094F193330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579036Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.751{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D696B916C12C7234D85EE983DE918F4,SHA256=9CC2CB766B5320E9E49D683B961CEC94D49F3C5790240B259040D9A3D510069D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579035Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.751{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=144E72A1B9C5BE4CDD9390E8039B7136,SHA256=1648B2C1AFCBAB07D1B431CC404850912BBC4862F39634720E03EE1A764189DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579034Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.751{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA45E8A5C5E4971C97A55309E747BA93,SHA256=E316C7C99AA0C22B402F3EF9E8094F023FC3E221A337D9C91D8D3D645C7A2F24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677245Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:37.610{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60053D0D3D0992910CEAC74BA3DFFF9F,SHA256=914E22D11D1EEF4CE32EBF6031F560D1580A60DB752868C66AE43D860BA5A3B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000579033Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.235{E1BD9FC2-8259-609D-8C51-00000000BB01}42722876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579032Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D336-609A-A100-00000000BB01}39243288C:\Windows\system32\conhost.exe{E1BD9FC2-8259-609D-8C51-00000000BB01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579031Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579030Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579029Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579028Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D2B9-609A-0C00-00000000BB01}728632C:\Windows\system32\svchost.exe{E1BD9FC2-D2BA-609A-1E00-00000000BB01}1544C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000579027Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D2B9-609A-0500-00000000BB01}412528C:\Windows\system32\csrss.exe{E1BD9FC2-8259-609D-8C51-00000000BB01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000579026Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.095{E1BD9FC2-D335-609A-9D00-00000000BB01}32643944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E1BD9FC2-8259-609D-8C51-00000000BB01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000579025Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.096{E1BD9FC2-8259-609D-8C51-00000000BB01}4272C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E1BD9FC2-D2B9-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{E1BD9FC2-D335-609A-9D00-00000000BB01}3264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677246Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:38.628{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37F1ED532386BEAA1CB7027B1B3750E,SHA256=F7406004D7D9BC7E03BB08540916535AA7D5FBC7C3A4842310ECCDCBE6B2EEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579037Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:38.767{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A02255EB37C84237D0747D41E7AEF1AF,SHA256=4870366B241E02B92BF12DD38E9A7FA7FA7398DC0B2897EE76401FC8C5164215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677247Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:39.659{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE0A443B26A9DE6B9ED13D4542AE78BA,SHA256=3DD4B49415F21D4387243EF08E73E1DF1DCCDEE4681DEAD9F6BCD98848416A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579039Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:39.798{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=262893EDA3C2374A243A753BC541AD60,SHA256=CCF88B22B0100BCF8C34A72859B6CDC0B5567A7F667905745D4DB5E0E2AAF8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579038Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:39.345{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4DAB8DB223CC26F42C3ECA10928DFED5,SHA256=BFD40866577F1998454ADBE89C409017B507710A620ACE58E6931E0E43ECC186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579041Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:40.860{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63B346140D94EA19FC3F77B22725B27,SHA256=BBBDAD14DAB88E31506768929C16C7F87642FE750E49AB3665EDED3D70CC9029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677248Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:40.689{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300500CD860600ED473417F56C7970A2,SHA256=A7F6B839C69AA502A408EFF421C17E6AA789C2F12739072FA1C3EE76A5CE7C89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000579040Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:37.865{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52945-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000579042Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:41.876{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B70E8E502C87C0FC5831CAC935DA68,SHA256=23788F035BB459B44EB8C8A48ED535EBBBE9C5321CEB60832F84D3D22F6CC2CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677251Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:41.725{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B13E281B7EA16057C7E51D0D7B86BF3,SHA256=F14430D9FD5D388B9CEF8DB68C3CC370461DEA79BB9008705E059AC6A5F251C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677250Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:41.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C0BFF49D58598876B0E0E3EED6B6F57,SHA256=51F354530671EA2CFA2E2040A3F4F229CB155C8DD1D55A9258572D14DD484564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677249Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:41.126{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DF29FC63425D767C82F4126AFC42369,SHA256=815C2F25B763786CA5734CC798F0774AE67C21EB6597FD818BCFA17E52E2713D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579043Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:42.909{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2112D137C616FAE6C5F7E4E62F0627F2,SHA256=37FA800361F315044AA53E66840167615923DC18A22978FE4D155197CC1B5D23,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677262Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:40.319{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54140-false10.0.1.12-8000- 23542300x8000000000000000677261Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.908{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A3DE6396B26558D53847AB36F139F3EF,SHA256=1EC6167A21065CC93D00116915AF947F4003D0E6EBE516B40D4E2AB456E1E901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677260Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.908{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=DA7D482304DBF7AE53924CD0785A2FC5,SHA256=2672FB94ED5B9150A5B6F9672D27191F2613569F43DDAE6E29B0F4E58ACB1FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677259Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.908{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=5AB48CA71CD2132CE69FB3A1427A0E7A,SHA256=4A8C91CD003FB7B84AE2F9F5BE216B67E916A50E47A9C02B753CC035D5D927A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677258Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.908{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9BBB18C7D639456BD4D663A45D782EC4,SHA256=D6A8392FBD1278D515C96009B72EAABE0FAA65D61002203E71C64C97E03A681C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677257Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.908{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=3515A9D8BA3CBDCB98B82AC72D3B57B4,SHA256=6C6B5A32EFB2447D308A432DB098102719FF80700CE7BAA0706EC74D7DC23EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677256Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.907{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=C0E4AA9F651F81FA70130DFBCFF9F18F,SHA256=052FB2B251D775F1FA0393E1A474A5CC39874926C57DDD5EA0D1C9B877A5F19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677255Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.905{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=91591C3B0529A48BEDDA5495B34D4381,SHA256=C0E48A2E433F2C9F5CFBCEE7A937A958A56AD5BD5F7B03F6B4CE67453CA1A995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677254Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.904{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A07008299FBD5CD5B179D8DDA10C8FA3,SHA256=B6DB7F321377F05CC25985A7AE9168F5C02DCA6C066742710D56EE070B11D5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677253Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.840{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C0BFF49D58598876B0E0E3EED6B6F57,SHA256=51F354530671EA2CFA2E2040A3F4F229CB155C8DD1D55A9258572D14DD484564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677252Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:42.740{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DEC26789A88464B9B4E9FE8F3EC6E1,SHA256=553484B2EAD3F4D405DB8AA4237049D624F7611ACD0246B41A3BC04BDA98A5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677263Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:43.785{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3665D80E3F3430FFFA23AD30D2D1CAE,SHA256=2C4FA2C69D44B82E3D02DAD301AC701D3C6F501ECB375F000337CB3DF9E99B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579044Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:43.941{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBE04F6DB5E4D2C9F727438D74FBA57,SHA256=D6436C1FB50033199ADB50028D363CEF6E0EE4C8E1DD03F552E123F70D61AC30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579045Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:44.943{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B3068BF4D0BBC130046A0D08F0A648,SHA256=06FBE4DDF1D3515C5B2C1165A9869F74DC0A65EB86090399922BE5B83712FEE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677264Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:44.869{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68FDFAEF993B503527D45D5E935820F0,SHA256=460FC661AD04AF278ECEEBEE0872C95BEA1A220C8A585E99113CBC670F8A6FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579048Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:45.959{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46BB866F8A54E7E4ED548EC59F233243,SHA256=64B7A38C8D139E4037DFCB33F2CE9F39E17D114B28A0EA1FD10D36F3D769D377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677281Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.884{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C34CD4A85E91A1D5DFB4352F7AA0AA,SHA256=2AB420E40976552CB11BE47BF08C8A2AABAC746690E667F0FEC9B6757583B76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579047Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:45.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9BCF339D3287092BE0B0418596ED59,SHA256=780413E2841D1321F9C7CB1C0AD68E5F70A4BD228EE7BB645FBEEFB7757512BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579046Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:45.225{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44E484370396E357839F3371FD3884E5,SHA256=7A4E85AD33DB8636C2CCCD3786863F3C8ECE83F169BF8CF3DA746462222F9893,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677280Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8261-609D-7E56-00000000BA01}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677279Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677278Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677277Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677276Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677275Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8261-609D-7E56-00000000BA01}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677274Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.684{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8261-609D-7E56-00000000BA01}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677273Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.685{7B03F3B2-8261-609D-7E56-00000000BA01}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000677272Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.005{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8261-609D-7D56-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677271Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.003{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677270Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.003{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677269Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.003{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677268Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.002{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677267Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.002{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8261-609D-7D56-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677266Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.002{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8261-609D-7D56-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677265Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.002{7B03F3B2-8261-609D-7D56-00000000BA01}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677293Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.906{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=885A68C5A3E8A456D955434FC4DAFEE7,SHA256=4877EC2EA36295A53D87AB35546F2154003ADB6A93614EB6C8FE38F7FE4F9EEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000579049Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:43.852{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52946-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x8000000000000000677292Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:45.348{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54141-false10.0.1.12-8000- 10341000x8000000000000000677291Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.438{7B03F3B2-8262-609D-7F56-00000000BA01}56407236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677290Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8262-609D-7F56-00000000BA01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677289Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677288Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677287Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677286Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677285Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-D0C8-609A-0500-00000000BA01}412768C:\Windows\system32\csrss.exe{7B03F3B2-8262-609D-7F56-00000000BA01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677284Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.238{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8262-609D-7F56-00000000BA01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677283Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.240{7B03F3B2-8262-609D-7F56-00000000BA01}5640C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677282Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:46.038{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D29011FF9E96FB52A2C2817718A5020,SHA256=2D04DBCE7E24CB175AAB629AF6B9A70E6E395785BAC42B6220D85B05A2C8464B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677312Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.907{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9DBFEC6288D5A8456780E56BEFC6D6,SHA256=360CA197E0A7575484B4019CA685C66496BD8E4D4A8921B4EF064B046236D4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579050Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:47.005{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F27EA1438875FC444A610DF0D69E3F,SHA256=5652FBE15CBDDE43E334994B209C62A28081A993912469AEEE1E0BEBF9D9446A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677311Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.805{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8263-609D-8156-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677310Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.803{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677309Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.803{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677308Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.803{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677307Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.803{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677306Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.803{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8263-609D-8156-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677305Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.802{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8263-609D-8156-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677304Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.802{7B03F3B2-8263-609D-8156-00000000BA01}5400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000677303Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.338{7B03F3B2-8263-609D-8056-00000000BA01}77285496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677302Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.238{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF78DE92C321ACA975857BD052D5A38D,SHA256=9238E1614FB99E6DBAC556063FCD18C2EE987FB6151597277CF6E55957EC2404,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677301Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8263-609D-8056-00000000BA01}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677300Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677299Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677298Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677297Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677296Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8263-609D-8056-00000000BA01}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677295Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8263-609D-8056-00000000BA01}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677294Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:47.123{7B03F3B2-8263-609D-8056-00000000BA01}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677315Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:48.923{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=544002BC620211040BE88C5F9B1C62FB,SHA256=67D398DE0E3ACEF8C0E07B466B3BBDA2691BC4F18AC1EA960F5648BE6113CE49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579051Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:48.036{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCAADDA5A5BA221AA6D330058BC476D3,SHA256=B301C6055BFDE28A7850C3F048F837A0A3BF5BF5E8D4D5848DBFDA220F86C868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677314Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:48.339{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=205345507975D14113D0A227F9B39DDF,SHA256=6DFED2CDAEC78C4456C33C75854FFB871B619D05F7D5FB36AF94B2B66A648BE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677313Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:48.124{7B03F3B2-8263-609D-8156-00000000BA01}54001324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677316Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:49.937{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0367B87AFC89B6A73D43FB9E24E69A,SHA256=5E9E663BE65987A005596D79D237E56308B9EEB7FD6AE3B2FA96E7EA3D9A5E4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579052Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:49.068{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A4A9E6E05E29933A302DC822E89935,SHA256=DE806748666EBF897C1743058E1C9507F20652584C5DE6C77C6FB36FED4B7284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677326Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.968{7B03F3B2-8266-609D-8256-00000000BA01}21086092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000677325Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.953{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=691831791B634E8641C1DAEEDB8BD6C4,SHA256=83101FA41A44FD069663F72E268318D09855048A5D9A08CBB4BCCD756CEC3594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579053Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:50.083{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1EAFDE176B3EA381803D2BAA5CD9179,SHA256=8A3046623EB45D9D217B89BE8DBAA4FEF17BC8A762837CE0C327C604BE62849E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677324Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8266-609D-8256-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677323Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677322Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677321Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677320Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677319Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-D0C8-609A-0500-00000000BA01}412532C:\Windows\system32\csrss.exe{7B03F3B2-8266-609D-8256-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677318Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.737{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8266-609D-8256-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677317Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:50.738{7B03F3B2-8266-609D-8256-00000000BA01}2108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000677336Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.956{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8273FF0E11E11C854DC268F625B63653,SHA256=51193CB22F1E58649F8DC1A1E9D9F01F6F26DE61ACCA273892AF76670D81CFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579056Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:51.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51559AE8759FFBC9CB9159375C62D975,SHA256=46BF10C2C23A5BFF36974B0EDCF79607F6EEC6495DBB9B070A3BAD50681A30C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677335Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.741{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=494510A56F21C9302E47062ECD9C2890,SHA256=79897FA781E84A4F14E03B49BFE8B9CD2EC3243DBA26F449E82CF63053983310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000677334Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.403{7B03F3B2-5121-609D-3650-00000000BA01}11765040C:\Windows\system32\conhost.exe{7B03F3B2-8267-609D-8356-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677333Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.401{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677332Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.401{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677331Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.401{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677330Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.401{7B03F3B2-D0CA-609A-0C00-00000000BA01}8565700C:\Windows\system32\svchost.exe{7B03F3B2-D0D7-609A-2C00-00000000BA01}1572C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000677329Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.401{7B03F3B2-D0C8-609A-0500-00000000BA01}412428C:\Windows\system32\csrss.exe{7B03F3B2-8267-609D-8356-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000677328Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.400{7B03F3B2-5120-609D-3250-00000000BA01}15325964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7B03F3B2-8267-609D-8356-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000677327Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.400{7B03F3B2-8267-609D-8356-00000000BA01}4388C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7B03F3B2-D0C8-609A-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7B03F3B2-5120-609D-3250-00000000BA01}1532C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000579055Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:51.052{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB34F9E6338A2F4DB7533C464232DAD,SHA256=180522F82AE087546015DC30A12D5E8AAC8CB99C166EBC18D339C8AEB17E325A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579054Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:51.052{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF9BCF339D3287092BE0B0418596ED59,SHA256=780413E2841D1321F9C7CB1C0AD68E5F70A4BD228EE7BB645FBEEFB7757512BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677338Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:52.971{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F615F9FB0DFF66AD67A7E3D3A25A114A,SHA256=4A36AFD3E456C1C5D46BA0064D27559007B533AB82A3C8A6D000921FC5AFA714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000579058Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:49.681{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52947-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000579057Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:52.115{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63C0DFC0F6BC5B314585320F3AFE4A1,SHA256=92CAFA8A2822D1B920E2089D165DE9A5F59D8706D1EA4169FECD0FF818D65861,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677337Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:51.366{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54142-false10.0.1.12-8000- 23542300x8000000000000000579059Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:53.146{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3D8C373FF0A6059A77AA56F96A57BB,SHA256=231F73D0A23A16DA43CA4C9F2D08201006963AB65F58DD2BFE875FD219D103AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677339Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:53.655{7B03F3B2-D0CA-609A-1100-00000000BA01}620NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B73748EAE3EA0F7ED12124FC3CB6E66A,SHA256=105E2130D317939B58FEA05BD7D6BBC1D324915F46F6EDC4005604374A5E7277,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579060Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:54.177{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDAB3CD168A5C32ECF6D3440C4BADF2F,SHA256=198BF051C521A9C2E45D71E7575EB0E538FCE01CEFB72AC0DF2D345B333C37A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677340Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:54.002{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD414B7AA8EA8A5AD9BD119E1B234C6B,SHA256=FE9CCED2E282A204BE275185C82215BC9B4AA1E5B22412E24E7DA1FFC27977CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677341Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:55.018{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962248E216EFCAF0F8671CAB9429A942,SHA256=AC55AB5C70FE8BBD84DFDE0DC52C68E365BE822C591DB3DCE0E47CE26432C01E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579061Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:55.240{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8FE1507A0B0997F36028BA3E0E80EF9,SHA256=DFC2AC142CF897C670C5B4BEF80A99A2F52952ECC0E396B399F610E69961F2B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000579065Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:54.728{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52948-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000579064Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:56.255{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0F60BA85F5FCB76FE2D07ADB8E7635,SHA256=FFE32C3C118CFDBC9B1E6E8C9AE8C8CACF13131A34AE0D36A3DE08F00061A573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677342Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:56.036{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C093D1EBC78A247790935C2818E55AFF,SHA256=385912600F0351A23969C6A5F39C77C0B30EF630A66920D7751BFE44808BEF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579063Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:56.130{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC31163B823EB0129AF32021E92D7F55,SHA256=B0F92C92FC43981BA727EC2F2BF9BDB7E32F6921A04B1FF9AA257C0165F85338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579062Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:56.130{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADB34F9E6338A2F4DB7533C464232DAD,SHA256=180522F82AE087546015DC30A12D5E8AAC8CB99C166EBC18D339C8AEB17E325A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579066Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:57.271{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0E33903D0215C1EF455FD290E4F625,SHA256=0840BD06DA27D19FC3EA764BA62289AACAAF05CF43E9803058ACF8C749D1BAE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677346Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:56.412{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54143-false10.0.1.12-8000- 23542300x8000000000000000677345Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:57.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8014715F3B66E8120B76BEEC77D598B6,SHA256=BA71CAE1008A9A30DA363176375CC4DE5B786A324D3480399B8779B280C3A6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677344Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:57.197{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DD0B2754552302AA3421082B7A1C2EB,SHA256=091666916DC7D940177505220C5CE3540A3409355D1FA12631D799F06DD919B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677343Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:57.066{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E81615BD972E3E09548FFE9FB6552A,SHA256=6E5DA563569970CB4E21982E5C5877AA1F1721C4AF68A9C2639A136DEB901270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579067Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:58.287{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF2EA2CBE95E45191B339465E6079BEE,SHA256=2FBD86B15CD209983E99E554DBE6DCF0DB1EE07C9F7D26DDB819A650F9632492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677347Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:58.081{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F961221F159EA6099555765FEC3AE1A6,SHA256=B2B5FA51C68098B170E049160489CEB776D2CA492B05C6237117F004A97B9C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677348Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:47:59.095{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C70CA5D9CC5426C5D14E11AA914E5C,SHA256=3040264FFC4AA79F353BAD9652FD24D928C8E647728A527C385A5C7BD31DFAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579069Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:59.958{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC31163B823EB0129AF32021E92D7F55,SHA256=B0F92C92FC43981BA727EC2F2BF9BDB7E32F6921A04B1FF9AA257C0165F85338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579068Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:59.334{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA72593226F129AE13ED5F3F66D0CB98,SHA256=F5E98A3DA84BF285EC8ADBB9C4209438ACE3F3685AFADEF53D42937E0A90AA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579070Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:00.365{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B29F5ABBF09F16CF4CDC77FEC76725,SHA256=FE662D8C290A24134C1EB04CB2FBF9CED388004D5D6344A553924D0019C469D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677349Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:00.113{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC7AE470FB6A48593ACA67D5133B1C58,SHA256=B7A3F3DD517DBECFDF2CE891E4F1DBEF30B6E5E239B16545C4637ACD1F83C555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579072Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:01.380{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7569F0909326292603B2DABB838F2843,SHA256=9BF10A4BE7729BA59C110EE0101CD03C8B2CB0714D8345FA2BADB026A392A988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677351Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:01.514{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8014715F3B66E8120B76BEEC77D598B6,SHA256=BA71CAE1008A9A30DA363176375CC4DE5B786A324D3480399B8779B280C3A6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677350Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:01.131{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A2FE92A8DE85549D8D1B896F875BDB,SHA256=A2032E436FD118C33594306328F3F160A3B8FF94692FBC24C368AC8F8967EA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579071Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:01.099{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F8988AC1B4294B8F771ED3B7D149F10,SHA256=11AEF5D551040BE968893CC5440CF0DC0A0753F40A1375C13BC5D4967A20A73F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000579074Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:47:59.728{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52949-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000579073Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:02.412{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD9A229E3E7732FB321EFAD45FC1C7CB,SHA256=68CD9F5AA31A1615DC8DB7A34542C1DEF38B25CB1BD1D9AF7C77D4B88708FAD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677365Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=4D4A1548AE4FEB3DCD99591D2B9C0E0B,SHA256=7D078ECCE642E8D17B63E08FA56FB35BAA3CABA019991D785CCAC469C6500076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677364Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FC58CAEBECC63111E658D7DBFBFDBAE3,SHA256=6C191627DB50E15022C059FA167569E545B8D9B2416EE5B5A0087F5EAA8E9067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677363Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=9E4AD45BED6BD37DD46EE995C4C956C5,SHA256=17D8BF020F167ABA0E34444111BDE30E396D28813077ABB5D7E8923543989ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677362Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=6DA11D68F5EEFDDBEBF7CFE13594F03A,SHA256=A5DCC77F16FFAACC5BFB8F1CD6A804EB0305C0B79330BDED21496AD4B43A2864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677361Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=F47104CAC33455C011F8F3552DAC8489,SHA256=CC36AC15D7AD75B967C469B9A58ADEB5626C32480CDAE8A492290343FBD58A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677360Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=FEB8DF88D1D38E63A91FAD96764C2B21,SHA256=E495F775EF4F9B776E635E16E60F37CF1D7D1FDF409360570C762D0FF5711435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677359Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=A156101885C96F8AFFC669DA4570767F,SHA256=FF0984A9BF56E41AC231B2AA08A3EA620CFF939265025EBE18E7DD9718CF65E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677358Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.960{7B03F3B2-37B7-609D-644C-00000000BA01}580ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\9n7q2hqo.default-release\datareporting\glean\db\data.safe.binMD5=E472814EF59DAE94777C5E76DCEB8EB6,SHA256=528E02756BE24518E34E60B33039A0E18E5AF823DFFBE4C94E4D7443384D520C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677357Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.845{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6236DE253DD4288EFD0E01D564289F99,SHA256=B2374BD4625CF07A60EE90D8D6C1ABC633FC57152C47D639FCA46809FCC99EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677356Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.145{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1C134C0AD08BD52E9A6E12B4CD5DE0,SHA256=2334BCCE643E46D554829F3DA0BDBCDDE86C7287260C092D857D6D1A81BFDF38,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677355Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:00.728{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local52976- 354300x8000000000000000677354Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:00.727{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local50644- 354300x8000000000000000677353Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:00.725{7B03F3B2-D0D7-609A-2A00-00000000BA01}2996C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-18.attackrange.local60806-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x8000000000000000677352Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:00.725{7B03F3B2-D0CA-609A-1400-00000000BA01}1076C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-18.attackrange.local64203-true0:0:0:0:0:0:0:1win-dc-18.attackrange.local53domain 23542300x8000000000000000579075Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:03.427{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF013DCF073EA4CEABB97623F9AC9E80,SHA256=A787E770C2293BB828F2A9CDECACC9DF79E6CD76AC49DB034A483FCF39F588FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677366Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:03.160{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D4EA78036A79CCDA14D76B249D2746,SHA256=9ADC998DE1A7657B936AB06393BC130E07DB6FBAC179670CF9B2B65DFE2A7F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579076Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:04.458{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F949FE3386ACC06F647D6CF88D48E47D,SHA256=7BE89FE974C6B19A9DAAE7447FB5A85AEE9C2636884C8F4FC7C8A8A2AFFE4F21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000677368Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:02.437{7B03F3B2-5129-609D-6050-00000000BA01}7104C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-18.attackrange.local54144-false10.0.1.12-8000- 23542300x8000000000000000677367Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:04.175{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CC12F0B20C1AA9B47BCBFD939D7BC1,SHA256=8399D8A018143BAD601B016912F298AE2FF30834FF6FB3886C7636B5D89E2AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579077Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:05.458{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3109C70307AA4D0175DABD0CE79C87C4,SHA256=829D3F9F72FC88DA459894D72B26B0B96FA2324D256EC9B400F5E8F900448285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677369Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:05.190{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77925B6C0C434947F3DBDD6CBCCA8437,SHA256=1F6CABD7F14C684DE2E1F75EF18235C1920E562F6EA42844F3DF9288ADCA2321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677370Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:06.206{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABED2DEBD2EA00B2FCA9E62C54BECF5A,SHA256=C3B4C79244B3D88BCF222D75F981F7F223ABB6534C5FDE6469AB5547C5C749F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579078Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:06.505{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E820B9FE5FB5A0ADD87B91C8A720688,SHA256=02A20F96395E5CAD8B4C2ABBD051C34D67E11DB09C872BB2F549ACD7EFA3E434,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000579082Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:05.744{E1BD9FC2-D33D-609A-CB00-00000000BB01}1016C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-681.attackrange.local52950-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x8000000000000000579081Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:07.544{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C541C45FBB6FFB6563265052D73BD4D,SHA256=F09A687CEEAA52CE8CD48D26D04961754AEABE687158EE9B58D0485D1667FC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677373Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:07.856{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71D2447E1F43F773913C47FE82C8DAF7,SHA256=58669C366ABBE3AB57145A23DF82CA8DFC9533AFE9BA01A4A60FD202FE66EED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677372Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:07.856{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1560F12302AE7419A13C5BE9E71816B,SHA256=176FB3B30784B4C961EA280A2636BFA9119F0F7D326483C5230D1BC6AA681A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000677371Microsoft-Windows-Sysmon/Operationalwin-dc-18.attackrange.local-2021-05-13 19:48:07.225{7B03F3B2-5130-609D-6950-00000000BA01}7212NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513006147BF76198783D0026C05E8399,SHA256=91658AB4D4B7C4B93B018A23F3F46543D34D63020A1E39F1A5D16ADCCE9B606A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579080Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:07.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D649C946319090054926AD0F08BF3811,SHA256=E2AF1F2CFFDDD4F7871B95638E80B3E1A5E4EC4290B81A451545EC6016CEDA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000579079Microsoft-Windows-Sysmon/Operationalwin-host-681.attackrange.local-2021-05-13 19:48:07.153{E1BD9FC2-D343-609A-D400-00000000BB01}2696NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83F9C035B9794C8381414B7718067E28,SHA256=02DF3F6C57CCDE9A9F51219114ACAE8B718AC15E381295FF7B8E01718EDED8AE,IMPHASH=00000000000000000000000000000000falsetrue